angela Could using it in any way be an attack surface?
Sure, but just turning the phone on increases attack surface compared to it being off.
I expect Auditor makes specific DNS queries and connects to a specific server run by the GrapheneOS project. If that traffic goes through a VPN, the VPN service could be exploited or perhaps forced to turn over logging information, so somebody could determine you're running Auditor.
Though I think it's highly unlikely, it's theoretically possible that the Auditor app has an exploitable bug in code that displays results from the server. Running code that checks in with a server on behalf of a device using a stable identifier, even if it's resettable, poses some risk of tracking.
At present there isn't a lot of code that is proven to contain no privacy leaks and no security bugs, so running more code means more risk.