If you set any app as your default spam & caller ID app, the OS automatically grants it the dangerous special permission to display over other apps without informing you. With this permission, the app can spoof the display for you and make you believe you're interacting with something while you're actually interacting with a fake display. It can also track your touches and I've heard it can also send touches on your behalf to the screen. For this reason I'm not using a spam ID app despite the useful Contact Scopes feature.
Since apps with the display over other apps permission can spoof what you see, there's no guarantee that when you revoke this permission, that it's really revoked. If you want to revoke this permission from an app or check whether an app has this permission in a sure way, I recommend holding the power button for about 30 seconds to force the hardware to restart, then when you see the Google logo immediately start holding the volume down button until you feel three vibrations (two quick vibrations then a long one). This will boot, using physical buttons, into Safe Mode where no third-party apps can run and spoof the display. Then you can revoke this permission or uninstall the app, and reboot normally to exit Safe Mode.
An alternative would be if the GrapheneOS devs would add reporting of dangerous permissions like this to the Auditor app. They recently added reporting of the USB-C and auto-reboot settings, which is pretty cool. But currently it doesn't report if/which third-party apps have this permission so you have to enter Safe Mode with physical buttons to check this.
I'm really surprised that there's no proper API for caller ID apps not involving granting this permission.