aw22 That's the same with every phone... Unfortunately!
No backup solution, not even Google's own cloud backup solution backs up keystores for all apps, Seedvault is actually one of the best, its why I'm such a fan (maybe the only fan) of it! It works wonderfully.
I used to root my phone persistently, until @GrapheneOS and I had a nice long talk and he opened my eyes on what a huge security flaw persistent root was, even with a always locked bootloader and verified boot being enabled. That's how I was doing it, which is a lot more complicated than the standard way, which is really insecure! The locked bootloader way is also unfortunately destroying the GrapheneOS security model, and as time goes on there is less and less of a reason to even do it!
Seedvault now works like a very good root based backup. Its flaws on restoring, (some apps need reinstalling because they crash, cannot restore keystores) are the exact same any root backup solution behaves.
There's one app, App Manager which does not need root. It has a no root mode, doesn't even need wireless debugging (also insecure!) but can use that too. You don't get much benefit from it though, on no-root mode App Manager is excellent for restoring those apps that Seedvault cannot restore in D2D mode. Just exclude those apps from Seedvault backup (in the "backup status screen, three dots upper right corner) and backup the APK's and rules with App Manager. Also, backup rules for ALL your apps in App Manager, then you will get permissions and battery saving status back for all of your apps after restore!
I like App Manager, doesn't need root, and adds a lot of utility to backup/restore. Also does other useful app management things!
I'm building my own releases of GrapheneOS for many months now, so far I only have a hosts file for system wide adblock/tracker blocking, but I want to sign App Manager with my build keys next... There are a lot of permissions that are hard coded into it that even root doesn't give it, the author recommends integrating it into a build of a custom ROM, so once I'm done reviewing its code, that's what I'm going to do, once I'm reasonably certain it doesn't have any major security flaws!
Whole partition backup cones with a custom recovery, like TWRP (Team Win Recovery Project). Doesn't need root, because it runs outside of userspace, of course. Its your new recovery! It is only prebuilt for very old Pixels though, I have downloaded the source code, I'm going to try to compile it for the Pixel 8 Pro sometime, but it seems like quite a complicated project! There's no step by step for all of it, just very general guidelines... Also, early versions support decryption of the data on recovered partitions, newer versions don't. I don't know if this is necessary for restoring a full partition backup of your app data including keystores, it would suck if I devoted a few weeks to this and it wouldn't do what I wanted!
I want to make a custom build that securely eventually does everything I want to without root!
I wish there were a easy way to securely do this too! I think its hard/near-impossible because it would be a lot less secure if it were more possible, so maybe you can take some comfort in that?