[deleted] I still haven't found an answer if there is a chance for apps that have all network access revoked to "share" data with the internet via Google play services that would have network access allowed. If it wouldn't be possible, I think that GOS developers would stress this point.
If an app doesn't have the network granted to it and Play Services does (this is not in any way exclusive to Play Services at all, I'm just using it as an example here since this is what we're talking about; the principle applies to all apps and is how Android works), if both apps agree to share specific data, Play Services could receive it and send it off to the Internet.
On GrapheneOS, exactly because Play Services work in the same exact sandbox/context as all other apps, they cannot see or interact with apps in other profiles. If you absolutely don't want 2 apps to communicate; don't put them in the same profile. Again, this applies to all apps.
An app doesn't need Play Services to send data to Google, they can include Google libraries and run Google code, and while it's true that you can turn an app's Network permission off, a lot, if not most of the apps that require Play Services for their functionality will fundamentally be apps that require network access for their core functions, so revoking the network permission from it is likely out of the question.
An app that doesn't include Google libraries or Google code would also likely be an app that doesn't need Play Services, and won't communicate with it regardless.
At the end of the day, you have to trust apps you use with the permissions you grant them. Thinking that Play Services are needed for them to send data to Google and that Sandboxed Google Play is what enables that isn't actually correct; as we've established, the entire point is that Play Services can do the exact same things as all other apps on GrapheneOS, unlike Stock OS.
[deleted] If I would like to be away from Google as much as possible, and would care about the data that Google can collect via Google apps, I wouldn't advice installing sandboxed Google play services, just because they are "marketed" as sandboxed.
Sandboxed Google Play isn't "marketed" as sandboxed. That's literally what it is. You're running the unaltered Play Services within the same app sandbox as something else. Perhaps you didn't mean that negative way, but saying it's marketed or putting "sandboxed" in quotes as if that's not what's happening is a bit confusing.