becomeparmesan 1 Is GOS protecting from this by default, by not having an Ad ID?
TL;DR; Correct.
Advertisement ID is a proprietary function provided by Google Mobile Services (GMS) and it's not a part of the Android Open Source Project (AOSP). Since GrapheneOS (GOS) doesn't ship GMS by default, there isn't an Ad ID on GOS by default either.
Do note however that if you install GMS, Ad ID is enabled by default (even if you haven't logged in to a Google account). It can be disabled from Settings > Apps > Sandboxed Google Play > Google Settings > All services > Privacy & security > Ads > Delete advertising ID
becomeparmesan 2 Is it okay to leave location on all the time, if I do not give (closed-source) apps the permission or do they get it from cell tower triangulation?
TL;DR; You can leave the global Location toggle on as long as you don't grant untrustworthy apps the Location permission under Settings > Location > App location permissions & use a trustworthy VPN.
The global Location toggle determines whether any permitted app on your phone can access your location. Without the Location pemission, apps can't do so even if the global toggle is on. You can have the best of both worlds by granting your trusted (open source) apps the Location permission while denying it from the untrustworthy (closed source) apps; I do so personally all the time.
In addition to GPS access, the Location pemission covers many other obvious & well-known location access vectors as well; most notably Wi-Fi SSID names & cell tower identifiers (given that they can reveal your location). So if an app doesn't have the Location permission, it can't access them either. While there might be some other novel and/or obscure ways of getting your location, your run-of-the-mill commercial closed-sourced apps are unlikely to use them simply due to economic factors; creating & maintaining such code takes effort, time, and money. It's simply easier & cheaper for an app to request access to the Location permission and then refuse to work at all if it isn't granted, compared to trying to find & maintain obscure ways of getting a single user's location outside the Location permission through novel methods that'll eventually be patched.
It's worth noting that your phone's IP information basically public knowledge. Even if you blocked access to it on your end, any apps' servers would still see it when your apps connect to them. And since IP can be used to determine a rough location, it could be considered a location leak vector. Thankfully, the fix is easy: use a trustworthy VPN provider to hide your IP address & thus your rough location.
becomeparmesan 3 How does ad blocking play into this? Are points 1+2 negligible if ad blocking is on?
TL;DR; Don't grant the Location permission to apps you don't trust! Ad blocking won't save you.
This is a bit tricker since it has many more variables. It really depends on how a given app implements their advertisements. If they do a naive implementation and try to poll known ad domains directly from the app, then ad blocking might work, but that's a lot of trust being put on a mere unknown possibility.
If an app's ad implementation works by first sending your data (location or otherwise) to their own server and then having the server sell the ad space via real-time bidding (RTB) before sending the chosen ads to your phone, then there's really nothing ad blocking can do from a privacy perspective. Sure, you might not see the ads, but your data has already been sold; you're just not rendering the end result (the ads) on your device.
One way to try & block this is to deny any untrustworthy apps the Network permission, but it might not be the silver bullet either, especially if the apps you use need an internet connection to actually fulfill their functions.
In the end, using ad blocking to try & prevent location data leaks is a band-aid fix over a gaping wound if your aim is to use it to block apps from selling your location data. The correct answer is not to grant them the Location permission in the first place.
Hope this helps.