I dont think you need to disable all permissions for the standard stable-as-fuck AOSP apps that GrapheneOS uses. SMS even displays the message "This app is meant for an older version of Android".
I guess your usage is very secure, even though you dont really seem you use your phone to its extent, whats with Messengers, Mail, Weather, Navigation, or other useful (online) apps?
Why do you trust Google so much? On the Playstore there are tons of malware apps, this is a fact. Maybe browsers like Firefox are updated faster than Mull on F-Droid, thats true. But in general, Google can add anything to Apps from the playstore, like the trackin in the Firefox browser. This is not existent on F-Droid apps.
If you want to use a firefox based browser with Addon support or a completely blank Vanadium, depends on your threat model. I dont agree, that its all about security all the time. "Attack surface", yeah I hear you, but when are people getting attacked?
Using an Addon like Ublock with a Malware filterlist, you can avoid shady websites very well. NoScript is a must have.
But Addons like LibRedirect, ClearURLs, "redirect AMP to HTML" also increase privacy, as they interfere with the URLs you open, not the data your browser sends to the sites.
LibRedirect redirects common tracking providers to alternative frontends, that may track themselves, but they are not Google or Facebook. It uses an offline database.
AMP is an invention of Google, centralizing media on their own servers, changing the origin and increasing tracking. They load faster, thats the only benefit.
ClearURLs extends Firefox's ability to remove tracking parameters from URLs, which is not complete afaik.
Using Vanadium may be perfect if you think you will get hacked, but dont tell me I can only use a handfull of search engines. I want to use searx.neocities.org and not DuckDuckGo, I want to search directly on wikipedia, or any other site, instead of always asking a centralized index to find the site I already know for me.