vvf69107 So basically as soon as one non FOSS app has network access, security is (could be) no more?
That phrasing sounds as if there might be a buried premise that open-source code is not exploitable. But open-source code is routinely found to have exploitable bugs that can result in data being exfiltrated.
Meanwhile, let's say pieces of Google code do conspire to exfiltrate your data. Things like that have happened in the past. For example, recently there have been reports of various AOSP-based phones sending user data back to the equipment vendor. When this is detected, the company in question takes a reputational hit. Sometimes governments enforce penalties.
For each scenario the possibility that your data could be exfiltrated should arguably be weighed in light of the likelihood. Of course, different people will estimate likelihoods differently.
As I think somebody else pointed out, maybe in a different thread, IPC isn't the only way malicious code could exfiltrate data. It is possible to encode data in high-frequency sound and transmit it through a speaker, or even to modulate CPU power usage in ways that cause a DC-to-DC converter to sound different.
If one is concerned that Google code is particularly likely to exfiltrate one's data (via IPC, high-frequency sound, or power modulation), maybe not running Google code might be more important than hoping IPC filtering will make exfiltration impossible.
GrapheneOS's sandboxing of Google Play Services probably does protect against situations in which that code does something malicious because it's exploited. GrapheneOS's sandboxing of Google Play Services may well not protect against that code deliberately exfiltrating your data.