There's a lot in here if you search the forum. The main website also has a lot of good reading material.
PROFILES:
The easiest thing is to have one profile, have play services and play store on it with your old google account, and use it as a regular Pixel with additional security and a little extra privacy.
From there, it all depends on how much you are willing to put the effort - not only in setting it up, but in daily usage it may be a pain to juggle multiple profiles.
I have a main profile that's basically empty. A second profile that is my daily drive, a third with GPS for banking apps and a forth for reading news.
VPN:
Well, VPN is a transfer of trust. From your ISP to the VPN provider or to a cloud provider, if you host a VPS yourself. For me it's a no-brainer, since ISPs suck. Go with a VPS or a reputable VPN (IVPN, Mullvad, Proton or Windscribe).
I recommend against using a private DNS (NextDNS, quad9, adguard, etc) with a VPN, as it makes you more
But it's all about trade-offs. NextDNS and Quad9 update daily, so you'd have greater protection against phishing, malware, etc. Also with Rethink you're stuck with however many wiregard connections you set up, you can't just easily jump servers like you would with the VPN's app.
APPS:
The golden rule is: less is more. Stick to the essential. Replace what you can with reputable open-source alternatives, but remember open source doesn't mean secure or private. Run away from projects that are abandoned or have few users. Open source needs engagement (from the devs themselves and 3rd parties) to be constantly debugged and improved. Switch to webapps whenever possible. Webpages can access your browser, not your hardware.
Don't be afraid to have google apps (Gallery, Camera) in your phone if none of them has network permission (see explanation in keyboard about apps communicating). I'd separate apps which require permission in another profile (gmaps for example), but it's a pain to drive longer distances in another profile.
Check https://privacyguides.org/en/tools for good app recommendations.
KEYBOARD:
AOSP keyboard sucks. Two good keyboards are gboard or Microsoft swiftkey. SK has better word prediction and UX imo, but gboard has dictation (it takes some effort to get it working, I can look it up if you want). Remember apps can communicate (GOS does have an app communication scope feature in the pipeline iirc, but for today that's the reality) even if you remove network permission from gboard it can in theory still send all you type to mothership via GPS if you have it installed.
APP STORE:
they all suck. Play Store requires an account. You can try your luck creating one without giving a phone number, or use a number from https://smspool.net that you buy with Monero.
Aurora apparently doesn't verify apk signatures.
Fdroid faces criticism from a lot of people in the security world, and it's only for open-source apps anyway.
Obtanium is an option, but again, only for open-source apps.
GOS has a store in alpha, Accrescent, but it has like 10 apps and nothing guarantees that devs wont pull away support for an app store with a thousand users if much.