I've been trying to figure this one out ever since I started using GrapheneOS in 2022.
Owner: used for nothing except updating GOS and adjusting settings. No apps here except the basics. I run Orbot in this profile 100% of the time, but I probably don't need to.
Secondary A: my main profile. My methodology: install here unless I have a reason not to. It has Google Play installed. I have location off most of the time, unless I need it for some reason. I use cellular on this profile, has my contacts, etc.
Secondary B: My email. This also has Google Play; this is required for using yubikeys for login to emails. Runs Orbot. I try not to use cellular here (aeroplane mode).
There's a few issues with this setup. Lots of people separate their FOSS and sandboxed Google Play apps into different profiles. The problem with that is what if I want to listen to music (Tidal) while reading a book (Librera reader)? The problem is use case; there are many apps that require Google that would typically be used alongside FOSS apps. Organising profiles based on FOSS/Google is impractical for me - this would be good for privacy but my setup focuses more on security. Also my threat model isn't so concerned about Google.
Organising them into high threat vs low threat is also not practical. If you define "high threat" as a profile that has a stronger password/PIN, and you put all your sensitive apps and data in this profile, that means you've put all your good eggs in one basket. What if your email app is the most likely to get malware installed on your system, and you paired it with another important app like your password manager? There's a potential threat vector there. However, if you define "high threat" as most susceptible to getting malware installed, that would change your strategy to only put email there and nothing else.
Organising based on "identity" is a good idea but hard to do. If you define "identity" as separating apps that hold personal information from apps that don't, you run into the same problem I mentioned above, where you typically use one app with another. It's inconvenient to have to change profiles all the time. If you define "identity" as being different personas - in all my years of being privacy conscious, I've never had to create entire identities for evading any kind of threat. Pseudonymous identities on online forums and social media, sure, but creating a fake person with fake persona details and a fake backstory just seems excessive for me and doesn't achieve anything.
There was a time when I tried to make full potential of the 16 profile limit, and tried to compartmentalize apps as much as I could - compartmentalize based on activity - banking, emails, shopping, personal, private/anonymous, etc. The kind of stuff you see from QubesOS. This was highly inconvenient as you can imagine, having to switch profiles, and manage the password/PINs for them is not easy.
I'm always experimenting with different setups. With the exception of having a dedicated profile for email, I always fall back to whatever is most convenient. I haven't found a real use case for private spaces yet - I don't even use owner for anything. PWAs are nice for convenience but I only use them on desktop - reminder that they do nothing for privacy.