HypnoSloth I believe Google Play Store needs network permissions for all this to work properly but is that the only permission needed for the three google play apps?
For most apps, the Google apps only need the network permission, yes. Some apps will require giving Play Services the phone permission, and if you want to pair a smartwatch you might need to give Play Services the nearby devices permission, for example, but the majority of apps work fine with play services just having access to the netwokr.
HypnoSloth What permissions other than battery optimization do those google apps need to enable updates and push notifications for things like proton mail? Do these permissions allow google to get identifying information about the device like phone number, IMEI, or track the device based on cellular tower proximity?
Play Services needs unrestricted battery usage, and of course the network permission as stated above. No apps get access to the IMEI etc. I recommend reading this section of the docs:
https://grapheneos.org/faq#hardware-identifiers
https://grapheneos.org/faq#non-hardware-identifiers
HypnoSloth What are the actual security risks associated with using Aurora, from either their many users to few google accounts approach or any other issues they may have?
From https://privsec.dev/posts/android/f-droid-security-issues/#conclusion-what-should-you-do
If you don’t have Play services installed, you can use a third-party Play Store client called Aurora Store. Aurora Store has some issues of its own, and some of them overlap in fact with F-Droid. Aurora Store somehow still requires the legacy storage permission, has yet to implement certificate pinning, has been known to sometimes retrieve wrong versions of apps, and distributed account tokens over cleartext HTTP until fairly recently; not that it matters much since tokens were designed to be shared between users, which is already concerning. I’d recommend against using the shared “anonymous” accounts feature: you should make your own throwaway account with minimal information.
HypnoSloth Does Google Play Store need network permission for Aurora fetched apps to work?
If you use Sandboxed Google Play, the proper setup for it is to have the 3 apps with network permission and unrestricted battery for play services. Play Services and Play Store play off each other, and denying network to either will screw things up.
HypnoSloth Is the only benefit that Aurora provides over Google Play Store the ability to not use a google account?
Pretty much, yeah. Aurora Store can be a good choice if you're not using Sandboxed Google Play in general or a specific profile, but not something I'd recommend as the first choice or in all circumstances.
HypnoSloth Question: Is my understanding of the security issue correct and are there other issues?
https://privsec.dev/posts/android/f-droid-security-issues/ is a good starting point on the issues with F-Droid, but this article doesn't include everything. There are security and UX issues with F-Droid. I can't recommend F-Droid at this point, but if you insist on using it, at least use a relatively modern F-Droid client to interact with the F-Droid repo like Neo Store or Droid-ify.
How prevalent is the lack of push notifications for apps that offer an apk?
That depends entirely on the app. If an app provides a non-play version of getting notifications, that'll most likely be available in the GitHub APK, or the version with FCM might be available there. It highly depends so it's not a question that one can easily address.
HypnoSloth How difficult is it to set up and RSS feed? (Is this similar to a shell script or something?)
It's pretty simple. Process is explained here: https://www.youtube.com/watch?v=FFz57zNR_M0
HypnoSloth With an RSS feed, do apps update automatically or is that simply a notification system for when an update or change has been made?
The apps don't update automatically. You're just notified and can then go to the website to get the newest version.
There's also Obtainium which makes the process a little bit smoother from what I hear, but it also doesn't do automatic/unattended updates either.
HypnoSloth Is there any benefit in mixing these options on the same profile from a privacy and security perspective?
In my opinion, if you're using play store on a profile for some apps, use it for all.
HypnoSloth Am I missing any other good app repositories and what are their pros/cons?
Accrescent is very promising. You can think of it like a much better Play Store. The con of it is that it is still very new, so it's in alpha, and doesn't currently have many apps in it, as devs have to be whitelisted to submit their app at this point to make sure the kinks are ironed out before it goes fully public. Definitely something to keep an eye out for you, I definitely am.
I hope this helps!