A factory reset would be best, but it's not necessarily required.
I recommend you to:
- Boot into Safe Mode, either by long pressing the Restart option in the power button menu, or by starting to hold the volume down key when the Google logo is shown during boot and keeping it held until you feel three vibrations.
- Review the list of installed apps and uninstall any app you don't strictly need.
- Go to the Settings app > Apps > Special permissions, and revoke dangerous permissions (such as Display over other apps, Install unknown apps, All files access, Usage access, etc) from apps that don't strictly need them. Unfortunately some of these dangerous permissions (such as Device admin if I'm not misremembering) cannot be revoked while in Safe Mode.
- Reboot the device as usual to exit Safe Mode.
Note that there's an additional dangerous permission not listed in the special permissions area, and cannot be revoked while in Safe Mode. Unfortunately it's also possibly one of the permissions being abused to spam you with popups/unwanted links opening. While not in Safe Mode, go to the Settings app > Accessibility. If you've granted any third-party app the accessibility permission, it should be listed here at the top under a Downloaded apps heading. If you remember granting accessibility permission to an app and you're afraid it might be interfering with you trying to revoke it while not in Safe Mode, as an alternative I can suggest disabling the app in Safe Mode, and then revoking its accessibility permission outside Safe Mode.
Finally, especially if you have many apps installed, it'd be a good idea to run an anti-malware scan, it might catch malicious apps you missed in the previous steps (anti-malware scanners are a best-effort security measure, they're inherently unreliable): If you have Google Play Store installed, open it, then tap your profile picture, tap Play Protect, and tap Scan. I also recommend opening the settings inside this Play Protect screen and enabling both Scan apps with Play Protect and Improve harmful app detection.
And in case you haven't verified your GrapheneOS installation is authentic, you should do it now as was suggested by the previous posters:
https://grapheneos.org/install/web#verifying-installation
It's best if you install GrapheneOS's Auditor app from Google Play Store on another, trusted Android device and use it to verify the GrapheneOS device.
Hope this helps.