All the things you're talking about are known/expected. There's no "root" access going on.
Bspamail I have a wallet option that showed up out of nowhere
It's a part of AOSP. GrapheneOS devs recently re-added it to the quick tiles. You can see it in the release notes here. The wallet app isn't actually installed, but there's some wallet functionality that's part of Google Play / Google Play Services.
Bspamail noticed a google AR app predownloaded from not launched to install
This is because an app is trying to use Google Play's AR Services. The app "probes" for that functionality, and when Google Play notices it's not there, it tries to install it by itself. On Stock, Google Play has access to install whatever it wants without asking permission. On GrapheneOS, it cannot install, but you see that pending icon.
Easiest way to stop that from showing up is to install it, when it prompts to install don't allow network permission, then disable it from the app settings. Once disabled, it won't show up again.
Bspamail it's talking me to put my finger print on it
The app doesn't have access to the fingerprint reader. The app is using an Android API to use biometrics to verify it's you.
Bspamail Yo is google play services even safe?/ am I the only on ewho encountering this? How can I disable them getting in my device like that? Wtf????
On GrapheneOS, Google Play's 3 GMS apps don't have any special privileges. They can't install apps without permission and they cannot add permissions for themselves.