I consider myself a beginner and IMO the biggest obstacle to make your own build that you might face is the ram and disk requirement. Otherwise for the default build its learning curve is mostly time consuming and I am not aware of a make menuconfig or similar that would let you conveniently choose your font. To give you an idea, the folder for grapheneOS alone is 216G after the build process is completed. Expect another learning curve just to build the emulator, which I think you should. Testing and compiling all of this in VM(s) can simplify the troubleshooting process by quite a lot.
There might just be a config setting to modify by hand and then compile everything .. or it might have cascading effect that may or may not be resolve after a few cycle of corrections. I don't think it should but it doesn't mean it won't .. I am a beginner with no experience customizing GrapheneOS.
For the signing infrastructure, the make_key is a standalone file that can be copied and you can generate the keys in a separate machine if you wish; there isn't much to it. I am pretty sure that the public and private key get copied over in quite a few places after its build is completed, including at least one zip file (using the m command provided in the build instruction for a pixel 7). I have not checked whether the encrypt key script handles all of this .. it likely does except for the generated zip files. Right now I am using the KISS principle and I am creating new keys every single times with OTA disabled. Until I am confident enough.
Before you go through all of this, if you choose to accept it .. you might want to double check that the font you are looking for is not in the pre-built font familly. On my device I see Default, Sans-serif, Sans-serif condensed Sans-serif monospace Serif, Serif monospace, Casual, Cursive, Small capitals.