Regardless of where you buy your phone, Google immediately collects a lot of immutable IDs from your phone, according to this study:
Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google
Douglas J. Leith, School of Computer Science & Statistics, Trinity College Dublin, Ireland
25th March, 2021 (Updated 10th June, 2021
The study was done with an earlier version of Android but I will not assume data collection has been reduced unless shown a comparable and more recent independent study.
This would happen when you start the phone for the first time and boot Google Android to fully unlock the phone, prior to GrapheneOS being installed.
When you buy from Google, additionally it will also be able to associate an address and billing/financial information even if you ship elsewhere.
The complete report (link above) is a dense and disturbing read. Here's an excerpt:
"Upon startup the first connection that the Android handset makes that sends data is to Google Analytics endpoint
app-measurement.com:[] The app instance id that is sent is linked to the device RDID (Resettable Device Identifier or so-called Ad ID, used formeasurement and ads9) in a later call to app-measurement. com. The next connection is made by the DroidGuard process (used for device attestation, part of Google's SafetyNet service), which send the device hardware serial number (which persists across a factory reset) to www.googleapis. com/androidantiabuse. The device RDID is now sent to www.gstatic.com and app-measurement.com. Early in the startup process a call is made to youtubei.googleapis.com/ deviceregistration that sends a raw DeviceId value and in due course a call to the android.clients.google.com/checkin endpoint is made.
This shares the handset Wifi MAC address, its hardware serial number and IMEI, effectively linking these three persistent device identifiers together. A subsequent call to android. clients.google.com/checkin further links these values to the Google AndroidId (a persistent device identifier that requires a factory reset to change) and a variety of security tokens10. The Droidguard device key is a large, opaque binary message: the contents are intentionally obfuscated by Google and it remains unclear whether it contains device/user identifiers11.
Cookies are sent in a number of calls, starting with one to fonts.gstatic.com and then to play.googleapis.com (this call
includes the AndroidId and so links that with the cookie). Despite deselecting the “Send usage and diagnostic data”option during the startup process, a substantial quantity (approximately 1.2MB) of telemetry/logging data is sent by the handset to play.googleapis.com/log/batch and play.googleapis.
com/play/log. The handset also sends 1.1MB of device data to www.googleapis.com/experimentsandconfigs and 181KB to android.clients.google.com/checkin. In total, around 3.6MB of data is sent to Google servers (via URL parameters, headers and POST data."