First time install of GrapheneOS

wetop Ideally, I would like privacy, security and usability in any phone choice, but I am just a normal person and I do not have a need for anything exceptional in therms of security. I do use a mix of services/apps, Garmin, Roon, Proton mail/VPN, Natwest Bank, Bitwarden, Synology apps, Signal among others. Is there a way to remain secure and private?

A few of the apps you're mentioning may require Play Services to work or to provide certain functionality. If you're going to be using Sandboxed Google Play for app compatibility, I would personally also use Play Store with a dummy account made especially for that purpose. Aurora Store can be used as well, although it's not always ideal for a few reasons, including the fact that apps can refuse to work if not installed through Play Store itself.

With regards to Sandboxed Google Play and how it works:

The way it works on GrapheneOS is that you're able to install the unaltered, official Play Services/Store as a regular app, which, like all other apps, is confined within the same app sandbox.

That means that Play Services is not capable of accessing anything that another regular app wouldn't be able to. They don't get special treatment or privileges. It's not a special sandbox that they run in, but rather the standard app sandbox that all other apps you install do.

If you were to try and install Play Services as a regular app on another OS that doesn't implement the Sandboxed Google Play compatibility layer, it would crash repeatedly and refuse to work, because it wouldn't know how to function as a regular app, and would expect to be in its usual, privileged environment.

GrapheneOS' compatibility layer teaches the app to use APIs that regular apps can use instead of the privileged ones so that the apps can function within that context.

I hope that helps. Welcome aboard!

[deleted] I still haven't found an answer if there is a chance for apps that have all network access revoked to "share" data with the internet via Google play services that would have network access allowed. If it wouldn't be possible, I think that GOS developers would stress this point.

If an app doesn't have the network granted to it and Play Services does (this is not in any way exclusive to Play Services at all, I'm just using it as an example here since this is what we're talking about; the principle applies to all apps and is how Android works), if both apps agree to share specific data, Play Services could receive it and send it off to the Internet.

On GrapheneOS, exactly because Play Services work in the same exact sandbox/context as all other apps, they cannot see or interact with apps in other profiles. If you absolutely don't want 2 apps to communicate; don't put them in the same profile. Again, this applies to all apps.

An app doesn't need Play Services to send data to Google, they can include Google libraries and run Google code, and while it's true that you can turn an app's Network permission off, a lot, if not most of the apps that require Play Services for their functionality will fundamentally be apps that require network access for their core functions, so revoking the network permission from it is likely out of the question.

An app that doesn't include Google libraries or Google code would also likely be an app that doesn't need Play Services, and won't communicate with it regardless.

At the end of the day, you have to trust apps you use with the permissions you grant them. Thinking that Play Services are needed for them to send data to Google and that Sandboxed Google Play is what enables that isn't actually correct; as we've established, the entire point is that Play Services can do the exact same things as all other apps on GrapheneOS, unlike Stock OS.

[deleted] If I would like to be away from Google as much as possible, and would care about the data that Google can collect via Google apps, I wouldn't advice installing sandboxed Google play services, just because they are "marketed" as sandboxed.

Sandboxed Google Play isn't "marketed" as sandboxed. That's literally what it is. You're running the unaltered Play Services within the same app sandbox as something else. Perhaps you didn't mean that negative way, but saying it's marketed or putting "sandboxed" in quotes as if that's not what's happening is a bit confusing.

matchboxbananasynergy Perhaps you didn't mean that negative way, but saying it's marketed or putting "sandboxed" in quotes as if that's not what's happening is a bit confusing.

This is a misunderstanding on your part.
As you can see even in your citation, I didn't put the word sandboxed in quotes. So there was no evaluation, doubt or ridicule of Play services, and again I didn't write marketed but "marketed" - for not finding a better word, yet I don't think that the word is confusing in the context at all. GOS team clearly push the term sandboxed Play services everywhere. There's nothing wrong with that.

Nevertheless, thank you for quite a summary. It would be very helpful putting something like this to grapheneos.org/usage page. I noticed couple of threads in the forum - and you surely must have too - where users discussed this and searched for answers to these questions.

[deleted] Apologies, you're right. I missed where the quotes were there. :) It probably stems from my personal negative connotation with the word marketing, which (unfortunately) often involves misrepresenting things to push a certain narrative and just wanted to reinforce the fact that GrapheneOS doesn't attempt to do that.

[deleted] Nevertheless, thank you for quite a summary. It would be very helpful putting something like this to grapheneos.org/usage page. I noticed couple of threads in the forum - and you surely must have too - where users discussed this and searched for answers to these questions.

There are parts of the documentation which explains that apps in the same profile can communicate via mutual consent. Is there something specific that you have in mind that is not being addressed?

matchboxbananasynergy Is there something specific that you have in mind that is not being addressed?

In Usage guide in the section Sandboxed Google play there is this paragraph:
Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they're only available within that profile. Only apps within the same profile can use it and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can't access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it's no different for sandboxed Google Play.

As it can happen with meticulously worded text a reader might not easily see the important information in the text, especially when the text is a little bit technical. Maybe it is there and it is clear, I do not see it.
I would add a little notice for people who need more explicit wording, something along the meaning from your reply:

matchboxbananasynergy If an app doesn't have the network granted to it and Play Services does (this is not in any way exclusive to Play Services at all, I'm just using it as an example here since this is what we're talking about; the principle applies to all apps and is how Android works), if both apps agree to share specific data, Play Services could receive it and send it off to the Internet.

wetop I currently have Google Play services with just Network permission and Google Play Store with Network, notifications and Sensors. I am wondering if it needs the last two...

The baseline setup is GSF, Play Services and Play Store, all with network permission, and with Play Store having battery usage set to unrestricted. (This makes it so FCM notifications come in immediately and is generally the supported setup for it).