Hello and welcome! Thank you for reaching out with these questions. It looks like we have a lot of ground to cover, so let's get started:
I bought a spare Pixel 3a (what does "legacy" means here btw, it won't receive updates soon? When? Should I not start using it?)
The legacy title here means that those particular devices are not getting full security updates. That's not because we don't want to provide them, but because it's impossible since the OEM is no longer providing firmware updates.
A lot of other OSes try to downplay the significance of this, but GrapheneOS doesn't want to mislead people who use the OS. GrapheneOS (or any OS) cannot provide full security updates after the OEM stops officially supporting a device.
The devices are partially supported as a harm reduction method to help people migrate to a supported device as quickly as possible and it's not meant to mislead people into thinking their device is secure. This, of course, is not unique to GrapheneOS. No OS can provide full security updates after official support for it ends, despite what they might claim. This is explained at:
I never used Android 12, and the OS itself looks very cool (even if I'm not sure I need such a level of security, so I maybe disagree about the browser choice and favorite Firefox, especially if the default one doesn't allow to block ads).
The default browser on GrapheneOS is Vanadium, which is a hardened fork of Chromium. It provides substantial security benefits over other browsers, and especially Firefox.
For more information on web browsing on GrapheneOS (as well as more information on Firefox and why it's not recommended), please take a look at this section of the usage guide:
On ad-blocking, it's planned for Vanadium to eventually have content blocking built-in, but it's possible to do system-wide blocking by using DNS, as explained here:
As a new user, I'm confused about how to install apps. There is an app called "App" that you may think would be a store, but it actually only proposes you to install the Google Play Store (sounds weird to me, it could have been F-Droid, Aurora or even the new App Lounge by /e/ OS which is super nice). So, basically, the OS comes with no store? What is the recommendation then?
GrapheneOS doesn't bundle a specific general app store because it doesn't want to make a choice for you. It is officially recommended to use Sandboxed Google Play and use the Play Store, as it is a very secure and relatively private option on GrapheneOS thanks to the way Sandboxed Google Play works. Basically, it makes these otherwise privileged apps work within the regular app sandbox. Therefore, they're not different compared to all other apps.
If you don't want to use Play Store, there are other options, such as Aurora Store, which is an alternative Play Store frontend.
I wouldn't really recommend F-Droid because it has numerous security issues.
Ultimately, the decision of which app store you use is up to you (as it should be).
Linked to the point above, I'm not sure how to use those sandboxed profile for apps. Because there is no store, I manually downloaded the Signal APK, and installed it without doing anything special. Should I do that? Is Graphene doing the sandboxing for me, for each app? Or am I suppose to do something specific for the apps I don't trust?
All apps in Android are sandboxed by default. There's nothing special that you need to do to achieve that. GrapheneOS strengthens that sandbox, of course.
What you're most likely referring to are user profiles, but user profiles do not provide an additional sandbox and are not required to ensure that apps you install are sandboxed. It's just there as an option to provide further isolation. Essentially, user profiles are the closest thing to have a separate phone per profile that you can't get without an actual second device.
I'd like to synchronize my contacts, calendar, photos... with my Nextcloud. But when I go to the settings to add an account, well, it doesn't work. Tapping on the button makes the screen moves a bit to show you the tap is received, but nothing happens. Same when I try from the contacts app. I guess this is a bug? Should I install the Nextcloud app to sync everything then?
I don't use Nextcloud so I'm afraid I cannot help you here. Hopefully someone in the community can shed some light on that. :)
As a final suggestion, if you're interested in learning more about GrapheneOS, I would highly recommend reading through our documentation as it will likely answer most of your questions.
Thank you once again for reaching out, and I hope you enjoy GrapheneOS!