For your first question, you likely weren't using airplane mode, so the app was able to determine the country code based on the surrounding cell towers and/or the SIM card in your phone, using the country code burnt in it. There's nothing unusual about this, and it's all documented on the GrapheneOS website.
For your second question, the Amazon app you had in the same profile provided this to the Prime app, as the other user above said, apps can mutually agree to pass data back and forth. This is expected. If you don't want apps to be able to communicate with mutual consent, put them in different user profiles.
For your first concern, there's already a filed feature request on the issue tracker:
For restricting app communication within the same profile, the project has been working on a feature that does this in a comprehensive manner, which will take a lot of work so that it's not leaky. Again, for now, using user profiles to isolate apps from one another is the correct approach. Details on this potentially upcoming feature here:
Now, if I may: it's perfectly fine to have questions and concerns. After all, you're using GrapheneOS because you care about security and privacy. But your wording makes it sound like what you experienced is outside of the norm, not documented or unknown, which is not the case. I would like to ask you to please frame questions like this as what they are... questions, and to not make claims that GrapheneOS is somehow not secure or private just because you experienced something you did not understand.
I will also take the liberty to change the title of this thread to better describe your actual questions instead of the current title, which is sensational at best. Thank you for your understanding.