For anyone looking at this question later, the grapheneos websites says:
GrapheneOS adds a Network permission toggle for disallowing both direct and indirect access to any of the available networks [...] the Network permission toggle prevents apps from using the network via APIs provided by the OS or other apps in the same profile as long as they're marked appropriately.
Which seems to pretty clearly answer the question.