Our own App Store, Accrescent and App Verifier are highly recommended by GrapheneOS.
For apps in the Play Store, sandboxed Google Play Store is the most secure way to obtain them and many of them depend on sandboxed Google Play anyway. Making a purpose-specific Google account for this is very useful. If you're obtaining apps from the Play Store, you're trusting the Play Store to package and sign those apps regardless and many of those apps choose to include the Google Play SDK and libraries anyway.
We cannot recommend Aurora Store at the moment due to security issues. There is some initial work on addressing it but the main issue of not verifying signatures. The default account sharing is a potential problem but not the main issue, and it's likely to stop working at some point anyway.
We cannot recommend F-Droid due to major security and trustworthiness issues. We don't recommend adding this as another trusted party instead of using developer builds. You do not truly avoid trusting the app developers since they build whatever is released with near zero scrutiny and even serious review would not realistically catch issues.