I believe that this topic has been discussed a few times already but unfortunately I didn't see any mitigation actions being taken on this yet. It seems to me that this is rather concerning.
I'm referring to the situation that there is currently no way to block the communication of one app to other apps. In this way, apps can essentially actively undermine the removal of the "Network" permission and still receive information from the Internet when Google Play Services are installed and online. I wonder if apps can even send information back through the same channel. If yes, I would rate this as a severe privacy risk.
Example:
I have a banking authentication app for which I removed all the permissions (no Network, no Notifications etc.). When I start the login process on the bank website and open the banking authentication app, the app shows a popup asking me to confirm the login. As I understand, my banking app is still able to communicate with Google Play Services. So, when I start the app it probably asks Google Play "Do you have anything for me?" and then Google Play forwards the login confirmation request to the app.
(side note: my original intention is to keep this specific banking authentication app completely offline and only rely on the time-based (OTP-like) codes it generates and not on those authentication popups)
Proposed solution:
Build a mechanism in GrapheneOS where the user can define for each app, with which other apps it is allowed to communicate or whether no communication is allowed at all.