mythodical We simply cannot trust that Google isn't side-loading telemetry and other data through these channels.
Agreed, kind of. In this case I'm not really surprised Google serves ads this way. Disgusted, sure, but not surprised. Pushing ads is good for the business side of things.
However, I don't believe (but nobody but Google devs can really know) that Google will put so much effort into pulling data off our phones the same way. Nowadays, if they did something especially invasive, deceptive to spy on us, we'd find out about it, i.e. the incognito thing.
Regardless, there's little we can do about app developers including other Google packages (here's a list of some) in their code. Many of these packages have fallbacks in case GMS isn't installed on a phone, according to GrapheneOS's lead developer. Google is being invited to the data party by every app dev who adds this stuff.
Also, building off of what the lead dev said, it's totally possible other apps include libraries from other sources that aren't Google, but also share data to also serve ads, etc., including to circumvent network blocks. Those other libraries could also potentially be more invasive without needing GMS to do it. They just don't have the same "Big Tech" recognition as Google, so they could harvest data with less "restrictions" than Google because they're under the collective public's radar.
Here's the lead dev quotes if you don't have Matrix (he wrote a lot, but I think it's worth recording here):
strcat:
Play services and the Play Store of course connect to their services, as do the Play SDK / Google libraries used by apps when Play services isn't present
not having Play services doesn't mean Google apps / Google libraries can't connect to Google services....
many of their libraries just choose not to implement fallback code for Play services being missing, but many of them do have fallback code, and there is no reason they can't do 100% of what can be done with sandboxed Google Play without it
the whole point of sandboxed Google Play is that the Google Play apps are regular apps with absolutely zero special access or privileges and therefore there is absolutely nothing they can do which could not be done by the Play SDK / Google libraries in the apps using it
that's the point of the approach
this is a hard rule, not a simplification
try Google Maps without Google Play
it only uses Google Play as a way to integrate better with it
for example Google Play supports compass calibration across apps, and Google Maps is the frontend to configure Play services compass calibration
and without Google Play services, Google Maps doesn't bother supporting compass calibration, but it could, and their library for using the compass could fall back to using Google Maps if it's present but Google Play services isn't (it just doesn't in practice right now)
same applies to everything else
no reason the FCM library can't run a foreground service and ask for a battery optimization from each app using FCM
no reason it couldn't detect other Google apps and reuse a shared connection via those apps without Play services
they choose not to bother implementing fallback code for FCM
of course, they obviously implemented fallback code for the Google Ads and analytics libraries
they work fine in each app using them without Play services
they aren't going to throw away ad income from people using apps using Google Ads SDK on devices without Google Play
they don't care if you have push notifications though
if they didn't use Google Play as a cudgel to force vendors to comply with compatibility / security standards as part of licensing it, they would probably implement support for sandboxed Google Play themselves without us needing to do anything
it does not make business sense for them to not make it work to the extent possible on devices not integrating it other than as part of their licensing approach where [they] enforce rules on vendors through that
Sorry for yet another super long post.