foo2bar I was reading this today and I was wondering whether GrapheneOS protects us from this kind of exploit.
Not in general, no. The fact that the loopback interface is shared and can be used to send data between apps, even across user profiles, is a well-known issue that unfortunately isn't really feasible for the GrapheneOS team to fix, at least not as things are today. It would require a major rewrite of all network handling in Android, in a way that would be hard to maintain/port to new Android versions, and that might break certain apps.
Relevant ticket:
https://github.com/GrapheneOS/os-issue-tracker/issues/4772
About the specific instance of tracking carried out by Meta, which relied on WebRTC to do the localhost connections, those attacks would work in certain web browsers, but was apparently completely blocked by Vanadium. So as long as one used Vanadium (or another privacy focused web browser), one should have been protected from this specific tracking. Yandex was found to do something similar, which Vanadium did not protect against. Fixes for that has been rolled out during the last few days.
Relevant thread:
https://discuss.grapheneos.org/d/22889-meta-and-yandex-are-de-anonymizing-android-users-web-browsing-identifiers/
foo2bar I mean, we can always block background running for IG or FB, but then again that would not be feasible for WhatsApp users (another Meta app, which they might use to pull the same trick).
Blocking background usage might not be enough, as apps can still wake up every now and then, and if it times badly, you might have gotten two separate activities linked to each other.