- Edited
davey I have reinstalled the OS 4 times in the last week and I break things and revert to stock
If you're just about starting over, you don't need to reinstall GOS. A simple factory reset will do this for you much quicker and more conveniently.
davey When looking for an app to install, I start by looking in F-Droid, and then in Aurora (anonymous).
There are many ways to install apps. From what I can see, you might just want to use Google Play Store as the more secure method of installing apps. You have installed Sandboxed Play Services already and can create a throwaway Google account to keep most of your privacy. A guide how to create such account has been written here.
You also could replace F-Droid with Droid-ify for easier user experience and auto-updates. Or look into Obtainium.
davey If I like app X and want to buy it, can that happen, and if so, how?
You might be able to charge up your throwaway Google account with gift cards from the supermarket but I don't know if that works without also giving identifiers.
davey sandboxes on my phone, but to use a widget, I assume that I have to be logged into the correct sandbox?
If you refer to user profiles, then yes they are treated as totally independent users. One user can't see the data of another and will always require an extra user slot in your ProtonVPN subscription.
davey I am looking for a somewhat secure and private experience, but I am not in any dire need of extreme security
This is where threat modeling comes in. The better you know yourself, the quicker you can answer the questions what you want to do with your GOS setup. Using GOS alone gives you huge advantages by default, but for fine tuning I recommend reading here, here and here.
davey should I log into a Google account, and what are the real consequences of doing so or not doing so?
Google will be able to see some things (e.g. what apps you have installed and the information they share with Google). That's already true because you have Play Services installed. Now Google can attribute this knowledge to a single profile. The question is: Can Google connect the profile to your real life identity? If you are careful, that shouldn't happen.
Anyway, the amount of data Google receives from you is greatly reduced by using GOS. On almost every other Android setup, Google has privileges to see pretty much everything, your usage patterns, sensors, location, settings etc. On GOS google won't see more than any other app you install if you don't want it to.
I'm not speaking for the GOS project, only as enthusiastic user. Always cross check and don't trust me.