grayguy It says right in the paper that they're abusing permissions and using fingerprinting methods to track and correlate users across apps. There's also a point in the paper where they say that one method they use is exploiting unpatched devices. GrapheneOS always ships updates as quickly as possible, applying all patches.
They also say that indoor positioning methods (scanning for nearby Wi-Fi networks and Bluetooth devices) and sending that data back to Google or Apple for more accurate positioning is a privacy risk. This is pretty obvious, but not really a big problem on GrapheneOS because Google Play and Google Play Services are regular user-installed apps and don't get the required permissions automatically.
GrapheneOS has its own network location app, so it's open source and obviously doesn't have code to use location data other than its intended and documented use. Also, requests can be proxied through GrapheneOS servers. I think most people will use GrapheneOS's network location now, but GrapheneOS also supports using Google for location. To do that users have to grant location and optionally the nearby devices permissions to Google Play Services.
Don't grant apps access to things they don't need, use features to automatically turn off Bluetooth and Wi-Fi when not in use, and keep you device up to date. The things I read in the paper aren't real concerns for people who are smart about permissions they grant to apps.