TrustExecutor GrapheneOS has no interaction with FCM per se.
Each app obtains a registration token that uniquely identifies the app instance so that FCM knows where to direct the notifications to.
FCM knows a device is online when apps connect to it identifying themselves with that token.
No user apps have access to Hardware Identifiers which is outlined here: https://grapheneos.org/faq#hardware-identifiers
Info on FCM can be found here: https://firebase.google.com/docs/cloud-messaging
As far as installing sandboxed Play Services goes you should install all of them when network services are required. Play Store isn't just a shop front as it provides Play Asset/Feature Delivery, etc. and we can only support you if apps stop working or dont work if you don't.