WhatsApp works just fine. For reliable push notifications, make sure to install Play Services from GrapheneOS app store before you install WhatsApp. If you want E2EE Google Drive backups, make sure to sign into your Google account before installing WhatsApp. Then yell at everyone you know to switch to Signal 😉
I just use my physical cards that all support tap to pay. I keep them in a cheap NFC blocking wallet when out in public. Most of my purchases are online anyway. I'm not that concerned about card security since I exclusively only use credit cards (not debit cards), which have ample fraud protections. I only walk around with a few cards that I might use in public and the others stay locked away at home. I've only had one instance of fraud/theft in my life and the bank took care of it immediately and overnighted me a new card the next day. Having more than one card takes care of that slight inconvenience. As for privacy, there are not really any privacy benefits if you're using a credit card or debit card regardless. If you want privacy when shopping in-person, use cash.
If you really want contactless phone payments, in addition to Curve pay, you can also look into getting a smart watch that supports contactless payments like Garmin. I would first see how much you really need this in your life though.
M365 works just fine and I believe it even works without the need for play services (though you won't have push notifications if you don't install play services on that profile).
Just install Google's official "Pixel Camera" app. It's the same camera that comes default on Google's version of Pixels. It works even without play services and you can remove network permission to the app. Camera quality will be as good as stock pixels.
Pixel 9a is great, but I would double check to make sure you can't get a better deal on something newer or better before you settle. I got a Pixel 10 for less money than a Pixel 9a for example by shopping a sale. Unlike iPhones that don't really budge in price, Android phones are more competitive. Though, they also don't hold their value in case you plan to resell it, so don't overspend if you aren't ok with that. Just make sure that whatever you buy, that it's factory unlocked. I'm not sure how it works in Europe, but in the US, there are variants sold to work with Verizon based carriers and these won't work since you can't unlock the bootloader to install GrapheneOS.
GrapheneOS is fine for you and you may see additional benefits. For example, you can use GrapheneOS's privacy features to restrict non-privacy apps somewhat. For instance, you can use the contacts scope feature on WhatsApp to make it so WhatsApp only sees specific contacts rather than all of your contacts. You can similarly use storage scopes to spoof apps into thinking you gave it access to all of the files on your phone despite not giving it any access or access to just specific files and folders. For some privacy invasive apps, they will refuse to function unless they think you gave them full access, which is why this is so handy.
GrapheneOS is a great tool not just for people who are already privacy/security hardened, but for people still on the journey. Outside of contactless payments and some features that you're honestly better off not using anyway (like system level AI), GrapheneOS is extremely compatible and it's up to you to decide how locked down you want to make it. I personally find it easier to use than Google's android since it removes the endless bloat. I tried setting up a regular android phone recently and even after 12+ cumulative hours of playing with settings, I was still finding hidden menus where I had to opt-out of privacy invasive "features." And there was still a lot I couldn't remove at all. GrapheneOS on the other hand comes with sensible defaults and settings that are designed to benefit the user, not a corporation's data collection business.
For you, I would say either an iPhone or GrapheneOS would work. It depends on what you're looking for and trying to accomplish. iPhone is a great baseline for normal people, but GrapheneOS has the potential to go much further. For iPhones, even if Apple is better than Google for user privacy, it's not as good as not having to trust anyone. There is no company running closed-source code at the system level on GrapheneOS. It's your phone. Grapheneos is also more censorship resistant since it fully supports installing apps from different sources. So should your government decide they no longer want Apple/Google to allow certain apps on their App Stores, you can easily still install and update the app using another source (accrescent, f-droid, obtainium via github, their website, etc).
You can also easily isolate apps to different profiles on GrapheneOS to restrict their ability to communicate with each other. For example, you can keep your work apps on one profile and keep your personal profile for privacy friendly open source apps. You can even keep other profiles off in the background when you're not using it, which is akin to them being installed on a phone that's turned off.
There are a lot of other extra privacy and security features and settings that might seem like overkill right now, but that is likely to change the more you use them and the more you learn about all the creepy ways you're being tracked and spied on. For me, using Google android or iOS nowadays feels like I'm driving without airbags and a seatbelt.