A lot to unpack here.
First AOSP (Android Open Source Project) which GrapheneOS is based on has not been locked down. It is still open source and the code is still available. The change specifically has to do with how code for the Pixel 10 is being handled. Basically, in the past GOS has been able to put out a version that works with a new phone within days of that phone launching. With the 10, that is not going to likely be the case. However, the GOS team has stated that as long as the hardware meets their requirements, they will port GOS to the pixel 10. With the Pixel 8 and 9 it will be business as usual, they both have guaranteed software updates for 7 years from their launch.
I don't have any experience with 2fa apps on GOS, but I have used a locations tracking Time keeping app. Specifically Paylocity if that helps you. That one works fine.
Banking Apps... Someone else can probably post the link to the thread that has tested apps in it. As long as your bank allows mobile web access, you could always go with that route.
iCloud account... I feel your pain. I switched from Google to Proton and updated every account I had in 1 go. It took me probably 3-4 hours, but it gave me a chance to also check if passwords had been refused or if I had weak passwords. The other advantage was that I was able to bifurcate out accounts (paid Proton allows multiple email accounts to the same mailbox).
Contacts etc will have to be saved to either a thumb drive or your computer or emailed to an account you'll put on GOS. If you put them on stock android they will be wiped when you install GOS. iPhones have an "export to .vcf" option for contacts in either the phone or contacts app. With that .vcf file all of your contact info can be imported.
If you can hold off another month or so, google is unveiling the Pixel 10 on Aug. 20th. Likely the pixel 9 will go on sale shortly after, though if you don't have a camera, I could see not wanting to wait.