b3_k1nd_rw1nd I am used to the narrative that if an app is closed-source, then you can't completely trust it to not steal your data when you install it or not track your general activity on your phone.
Any application (regardless of its development model) is constrained by the same permissions and other boundaries in GrapheneOS. There's nothing inherently insecure or non-private about closed source apps, and the same goes for open source apps.
b3_k1nd_rw1nd But, if I say, install Facebook (deliberating choosing an app that is definitely not privacy respecting) but do not grant it access to anything except network and notifications, can it actually access any data on my phone outside of what it itself stores on my phone? Assuming, of course, that the Facebook app will work with those revoked permissions.
It would not be able to access things that you don't grant it access to, or anything that any other (open source or otherwise) app wouldn't. All apps are on the same level in GrapheneOS, including apps like Google Play Services which are privileged on the Stock OS.
I would highly recommend going through the OS' documentation at GrapheneOS to get a better understanding of how things work on Android. For example, the documentation goes into detail about what access (or lack thereof) apps have to things like hardware identifiers.