This is what my setup is right now. There are no usability compromises I can speak of while maintaining a reasonable level of privacy and security imo.
Profile 1 (Everyday Use):
Biometric unlock, Google Services Framework, but no Play Services of Play Store.
Apps: Aegis, Aurora Store, Bitwarden, Notally, Molly (Signal), Mullvad VPN (with DNS blocking), Musicolet, Neo Store, Organic maps, Proton Calendar, WhatsApp, Vanadium.
I also replaced the AOSP apps with the default apps (Camera, Calculator etc.) by Google with network permission turned off.
Profile 2:
PIN lock. This profile is for my banking 2FA apps which require the full Google Play Services (no network permission) enabled to run.
I'm in Germany so unfortunately it's impossible to ditch WhatsApp for me. I used to have a third profile with WhatsApp and other privacy invasive apps inside, but especially for whatsapp it was just too much of a hassle to share contacts and photos between profiles, for other services I have moved to Vanadium.
I really like this thread, interesting to read what everyone makes of the tools.