Firstly, what you do with your phone is up to you. GrapheneOS already does a lot to improve security and privacy. As long as you take appropriate precautions depending on your personal threat model, you can do whatever you'd like.
That said, I'll make some comments, and you decide what you'd like to do.
Zoanoid answers in GOS docs
You already did step one! Best way to improve security and privacy is to be informed.
Zoanoid Can I use phone/apps from my main profile
You can and many do. Some people find juggling profiles to be too much effort or annoying. It's very convenient to keep everything in one place. Some people on this forum will, incorrectly, suggest using profiles to further sandbox apps. The app sandbox isolates apps well enough within profiles. Just be sure to be smart about permissions you give to apps.
Keeping multiple profiles is also okay. The best advice I've seen regarding profiles on here is to pretend like you have separate phones for unique purposes. Like, one for work, one for personal use, one for social media (if you want that separate from personal), etc.
I've personally chosen to keep my owner profile empty, protected with a password and biometrics disabled. This way certain system settings are protected behind a complex password and if I ever want to lock down my own personal profile, for whatever reason, it's very easy to do. If you have a vpn or Google Play stuff on a personal profile, ending the session for the personal profile means the phone will use way less battery. Personal profile data is also put to rest easier this way without having to restart.
Zoanoid What about VPN?
This is up to you. If you host your own VPN server, you can use an app for that. There are OpenVPN client apps.
In terms of privacy, hosting your own doesn't do much. That traffic can be easily used to track you by 3rd parties since only you use that IP address. Using a VPN service means more people use a single IP address and you can change the server/IP easily.
Not using a VPN means you trust your internet service provider with your browsing data. Using a VPN provider, you trust the VPN provider with your browsing data and hopefully they honor their promise not to track you.
Zoanoid How can I install apps?
Any way you'd like. Many apps require Google Play Services/Framework (GMS), so you might need that to run some apps. Also, using GMS is the easiest way to get instant notifications if you want/need that. Using Google Play is a very safe way to install apps. You can just create a throwaway account if you'd like.
You can install other app stores by downloading the apk from Vanadium (like you asked).
Aurora Store is a good way too. It helps you download apps anonymously from Google Play using one of their Google accounts.
F-Droid is not really recommended, but you can use it if you'd like. There are some issues you can read up on if you'd like. Some posters on here suggest downloading apks from different app projects' Githubs. Keeping apps up to date that way takes a lot of extra effort, but it's way safer than trusting F-Droid.