I understand that there are 3 Google services bundled as sandboxed apps in GOS. Which of the 3 sandboxed Google services do I actually need to receive notifications? Can I do without Store, and/or Google Play Service for instance?
You should install all three components (Google Play Services, Play Store and Services Framework) and grant a battery optimisation exemption to Google Play Services. It is advised to install all three to prevent breakage since they depend on each other, and it doesn't necessarily make a lot of sense not to install all three components, as installing Play Services for example is enough for Google to collect data on your device so also installing Play Store won't change anything about Google's capability to collect data, as long as you don't grant it more permissions. If you only need the Google apps in order to provide notifications, revoke all permissions aside from Network for each of the three components and it'll work fine.
Depending on which of the Google services I need to install for notifications to work, does it make any sense to download ProtonMail in Aurora Store (or to get the apk on Proton's website) instead of using the Google Play Store? In other words: if I absolutely need Google Services to get PM notifications to work, does it even make sense to avoid the Google Play store privacy and/or security-wise? (The same question goes for other apps: if I need to install Google services on my main profile because of PM, does it make sense to install other apps via Aurora instead of Google Play Store?)
It depends. The Play Store requires a Google account to download and update apps. Assuming you want to avoid giving Google more personal information:
- If you are able/willing to create an anonymous Google account just for that purpose (you have access to a temporary phone number when you are asked upon account creation for example), then it doesn't really make sense not to use the Play Store since you wouldn't really be giving anything up while having the benefit of auto-updates and better-supported software (Aurora Store might sometimes be unreliable).
- If you aren't able/willing to create an anonymous Google account just for that purpose, then it might not be worth the convenience and cleaner experience for you.
I paid for an SMS verification number online with Monero to create a Google account for the specific purpose of downloading and updating apps and it works very well. Here's a guide someone made that might help you: https://cascade.weblog.lol/how-to-create-and-use-a-google-account-anonymously-on-grapheneos. Edit- Credit: @cascaderainfall
If you already have a Google account and don't mind linking your Play Store activity to it, or if you don't mind giving your personal info when creating your Google account, then there isn't any reason not to use the Play Store.
I thought of a potential work-around, but obviously cannot try it myself until I get a Pixel with GOS, so I'd love it if someone could tell me how feasible that is: what if I install ProtonMail on the main profile BUT don't install any Google service (thus I would have a working PM app without notifications), THEN create another profile on which I'd install Google services & ProtonMail (in order to receive notifications for PM in that profile) AND activate the option to receive notifications cross-profiles? Would this be a working way to get notifications in PM on the main profile without the need for google services on this profile? Is there even any advantage to doing that?
The benefit I see with your idea would be that you would have a way to be notified every time your receive an e-mail, while keeping Google Play apps separated from your main profile. I suppose you would then manually refresh your inbox in your main profile, every time you receive a notification. But there would be several disadvantages. If you need to be able to receive notifications at all times, this setup would require that after every reboot you also remember to log into the secondary user profile. This would also increase power consumption since you'd have two profiles running at all times. The cross-profile notifications also wouldn't show any information about the e-mails you receive, they would just tell you that ProtonMail sends you notifications, so you would have to manually check in the ProtonMail app in your main profile in order to know anything about what you received.
If you absolutely need ProtonMail notifications and absolutely want to keep your main user profile clean of any proprietary Google code, it might be your best option. It seems overkill to me but we each have unique needs. If I were you I'd either just install sandboxed Google Play in the main profile or give up altogether on instant notifications for Protonmail. Assuming you use other apps like Signal, installing sandboxed Google Play in your main profile would have the added benefit of decreasing power consumption since sandboxed Google Play would be able to manage notifications not just for Protonmail but also for other apps.
I think your best bet is to try out different setups and see what you prefer. You can always try something for a week and restart from scratch easily, before getting too settled into GrapheneOS.