Welcome to the club. Glad you're enjoying using GrapheneOS so far!
tchuki Is it appropriate to group the applications mentioned there?
Private Space (PS) fits your purposes perfectly. You can install both your Google Mobile Services (GMS) and the apps that require them in there. That way they'll stay isolated from your privacy-respecting apps in the main space.
tchuki Where should I position my 2FA app which is used to access all these services?
That depends on what you need your 2FA app for. If you need it for the privacy-respecting apps as well (or possibly the internet browser), then it could make sense to install it in the main space of your profile; that way you can use it without opening the PS each time. But if you need it only for the apps that are in the PS anyway, you can place it in there with them.
tchuki How do I set up this private space?
You can get started with setting up your PS in Settings > Security & privacy > Private space and follow the instructions there. Do note that if you want to use biometric features in apps inside the PS, you must (re-)register your fingerprints inside it. The PS set-up wizard should prompt you for fingerprint registration when you're creating the PS, but you can also add them in later if you miss it.
After the set-up finishes, you're good to go. You can use App Store inside the PS to install GMS. Do note that if you want to install apps inside the PS, you should use the App Store inside the PS itself. Using your main space App Store will install the app(s) to your main space. By installing GMS inside the PS, they'll be limited to being able to act in there and it won't be seeing into your main space where your privacy-respecting apps are.
Do note that if you use a VPN, you'll need to install your VPN app again inside your PS. Your main space VPN won't/can't touch the traffic of apps inside the PS & vice versa.
Also, if you use a credential manager service / password manager, you'll need to install that too again inside your PS. After installing, you'll need to go to your main space Settings > Passwords, passkeys & accounts in which you should see a button called Private in the upper part of the screen. In there, you can set up your credential manager for your PS.
tchuki should I be interested in restricting these permissions?
As far as I've used Sandbox Google Play, it works wonders for the vast majority of cases by having access to just two permissions: Network & Notifications. I'd recommend cutting down the amount of permissions you give Google Services Framework (GSF); then, if you discover that GSF actually needs a specific permission for a specific thing to work, you can grant that singular permission. This is most notably the case with certain Google-made apps which delegate a part of their internal work to GSF instead of doing it on their own; e.g. Google Maps requiring GSF to have access to the Sensors permission to show compass direction inside the app. Most non-Google made apps don't actually need GSF to be granted any additional permissions.
Certain apps (like one of my banking apps, for example) will sometimes complain that "Google Services Framework has to be granted access to the following permissions: [list of permissions here], or this app won't work." Don't let those messages scare you. My banking app works just fine even without the permission(s) being granted to GSF; it's just a generic error can be ignored without it actually impacting anything.
To be clear, in some cases apps can actually refuse to work if GSF isn't granted specific permissions; you'll have to figure out on a case-by-case basis whether the errors are false (which I dare say is likely) thus allowing them to be ignored, or if they actually need attention. It shouldn't be an issue, since the number of those errors will be minimal regardless; I haven't encountered them personally anywhere outside my singular banking app.
A note about notifications
Your PS and the apps inside it won't stay active in the background all the time. By default, the PS locks itself when you lock the screen, and at most it can be set to lock after 5 minutes of screen being off. When the PS is locked, it's essentially like the phone being shut down for the apps installed in there: you won't & can't receive any notifications from the apps installed in the PS while it's locked. So if you have any apps that need to be on 24/7 (such as messengers or medical stuff), the PS might not be the right place for them. The positive side of the PS locking is that since the apps installed in there aren't on, they won't consume any battery either on the background.
Also, while I don't know about your current set-up, if you've installed GMS in your main space, uninstalling it there after setting up your PS might break some of your app notifications. Most apps use (or default to using) GSF for receiving push notifications from their servers, and if it's not installed you might not receive the notifications you're used to.
While most instant messenger apps tend to do provide their own push notification services, you might need to re-install those apps to make them use it (updating won't be enough). Apps usually check only once on first install whether GSF is installed or not. If it is, they use it, and if it's not, they use their own internal service; locking in to whichever decision they made for as long as they remain installed, even through updates. You might also need to grant your messengers unrestricted battery usage to make them receive push notifications reliably.
Phew. I tried to keep things as short as possible, but ended up with a wall of text regardless. I tried to not leave anything important out, but something might have slipped through the cracks. Good luck on your endeavors and if you happen to encounter any issues or questions, just post and we here in the forum will try to help you the best we can.