- Edited
DeletedUser84 I'm not an expert but this is a topic that interests me so I've been trying to learn as much as I can about it.
There's a good section in "Practical GrapheneOS for the paranoid" on cellular privacy, which has some footnotes referencing posts by the official GrapheneOS Twitter account.
Even if you buy the phone and SIM with cash and no KYC, the best you get is a persistent pseudonym. Over time, unless you are extremely cautious and in particular unless you avoid having the phone connected to the cell network anywhere near your home, the government/police/cell companies/anyone they sell their data to will be able to infer that the phone almost certainly belongs to you.
The cell network will know your location pretty precisely at any time you are connected to it. I've seen different figures quoted for this, but in urban areas I think easily to within a few hundred metres. 4G might be slightly less precise than 5G - again, I have seen conflicting opinions. So if you're always connected and using a KYC SIM, this means the cell network is trivially building up a location track for you at all times. If you're always connected but using a no-KYC SIM/phone it is not hard to do the same but it requires a modest bit of data analysis to label the track with your real identity, and if you're just some random guy I don't know if anyone is going to do this analysis routinely.
If you haven't already seen it you may want to check out The Hated One's video on not using a SIM card.
If you are concerned about your location being tracked and can afford not to be in contact 24/7, you can try keeping your phone in airplane mode most of the time, using wifi where available and just turning on the cell radio when you really need to be contacted/get in contact. By limiting the time the cell radio is on, you reduce the amount of location tracking data available to third parties - if you're just trying to be more private, it might not matter to reveal it intermittently. In urban areas, you may be surprised how often wifi is available - you could extend this by occasionally patronising businesses with customer wifi in areas you frequent, which means you can trivially use their wifi from the street as you pass (and may even be able to get notifications about incoming messages or missed calls just as you walk past). Businesses with "normal" wifi that has a password they give out to customers is best - those with open wifi which makes you navigate through a web-based portal to get internet access are much less useful for this kind of casual, brief walk-by access.
There is definitely some privacy benefit to only using mobile data and avoiding calls/SMS, whether or not your SIM/phone are KYCed. Calls/SMS are not encrypted so the contents are likely to be routinely monitored. The metadata is not protected either so it's easy to build up a pattern of who you contact and when. If you're using VoIP to interact with people using "normal" phones, there might not be much advantage because you are still interacting with the regular phone network, but it's unlikely to be any worse. If you and the person you are contacting are both using VoIP there may be some increase in privacy, although you're trusting the VoIP operators for this.
If you use something like Signal your calls/messages and associated metadata are likely to be kept private. Yes, "they" could compromise the devices used by your contacts, but if you're just a random guy who wants some privacy, this is unlikely. So this is the best option, and is completely compatible with using a KYC SIM for data only, but I appreciate you may need the convenience of having access to the normal phone network.
Skype offers the ability to make calls to normal numbers over a data connection at a pretty decent per-minute rate - it isn't particularly private, but if this is enough for you it may save you money on VoIP services. (Maybe you can nearly get by with just Signal and this would fill in the gaps.) You can also rent a phone number through Skype for receiving calls, but I don't know how affordable or reliable this is.
It's important to bear in mind who you are trying to be private from and why. I know I often succumb to the temptation to think of a unified "they" who are constantly snooping on me. If motivated attackers are after you specifically, it is hard. But even if it might be nice to be a ghost, if what you really want is just to reduce the amount of data being built on you so you can be advertised to and generally influenced, every little helps and perfection is not needed.