My guess is the app is flaged as untrusted while it tries to Mount in /tempts and gets selinux denials:
first on app launch:
10-28 21:21:52.339 W/mount (24194): type=1400 audit(0.0:253331): **avc: denied { search }** for name="vendor" dev="tmpfs" ino=45 scontext=u:r:untrusted_app:s0:c29,c258,c512,c768 tcontext=u:object_r:mnt_vendor_file:s0 tclass=dir permissive=0 app=com.imaginecurve.curve.prd
10-28 21:21:52.339 W/mount (24194): type=1400 audit(0.0:253335): avc: denied { getattr } for path="/metadata" dev="sda24" ino=2 scontext=u:r:untrusted_app:s0:c29,c258,c512,c768 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0 app=com.imaginecurve.curve.prd
And then when hitting "enable curve pay" with the same error.
Reading from https://www.linuxtopia.org/online_books/getting_started_with_SELinux/SELinux_log_file_messages.html
The "avc: denied" means that the operation was refused.
The "{ getattr }" means that someone tried to stat() the file. In this case, the file's attributes were looked up first (or at least, the operation tried to look them up), couldn't get those attributes and gave up.
The contents of the braces {} contain the operation or operations that were relevant to what SE Linux was doing. SE Linux can audit both allow and deny events, and in this case was auditing a deny and as such, tells you want was denied.
"for pid=" is the process id of your operation.
"exe=/usr/bin/vim" is the command you executed (in this case, vim).
"path=/etc/shadow" is the path to the object you tried to perform an operation on.
"dev=03:03" is the device number of the block device used for the file system concerned. So the first "03" means hda and the second "03" is 3, so this "dev=03:03" refers to /dev/hda3 (or if you're running devfs /dev/ide/host0/bus0/target0/lun0/part3). When SE Linux is auditing permissions it doesn't know the full path of the object you're trying to perform an operation on so it can't log anything but the device that you mounted and the location within the device. All it knows is the path relative to the file system, and the block device number for the file system. Say you access /etc/shadow. SE Linux doesn't know this file is in the root file system. All it knows is that the file is /etc/shadow within the file system it is working on.
"ino=123456" is the inode number of the object (in this case /etc/shadow)
"sc is the source context of the process performing the operation.
"tc is the security context of the target object (/etc/shadow).
"t means that the target object is a file.
In plain words app want to read system folders and gets rejected
ls /metadata
apex lost+found sepolicy vold
bootstat ota staged-install watchdog
gsi password_slots userspacereboot
I'm rooted , not on a pixel device , not on grapheneOS but I can test things up If any android Dev reads here and can make any sense from this and how to troubleshoot it