Apps are able to enumerate other installed apps on the same profile. This is by design. Apps are able to communicate with other within the same profile, provided they have mutual consent to do so.
Any apps that are not installed on the same profile as GSF will not be able to communicate with it. Some apps opportunistically use GSF to provide certain functionality (such as notifications, etc.) One example is Signal, which uses GSF to provide on-time notifications, but will fall back to a websocket implementation provided that GSF doesn't exist in the same profile. To force apps to work without it, install them on a seperate profile without GSF.
There is nothing inherently wrong with installing Google Play Services on the owner profile if that's your use-case. Any app within the same profile as it is able to communicate with it, provided it has the functionality to do so but if you don't mind that and want to install everything in one profile and have everything that can work with GSF do so, then that's fine. It all comes down to your own use-case. If there are some apps that you'd prefer not to use or interact with GSF, install them in a separate profile or install GSF in a separate profile.
In GrapheneOS, Google Play Services are sandboxed just as any other user-installed app is: It doesn't have the special privileged access it usually has in other OEM Android installations and thus won't have access to any permissions you don't explicitly grant it, just like other apps.