great question from @"nosferatu", great answers!
I can only add my experience with a few tips for beginners, who will read this thread later:
I am also a fan of Josh/Side of Burritos and have learned much about GrapheneOS from this smart guy!
But the GUI/menus of GrapheneOS and the way to install sandboxed Google Play Services has changed a little since the beginning and it looks completely different now if you compare it with Josh's great YT videos (1–2 years old).
That can confuse beginners a little bit, but it's no real problem.
– I use my owner profile clean (without Google Play Services).
– For banking apps and few other apps which need GSF I have a second profile named Google.
This profile I use not every day and for minutes only – check my bank account, use DHL app when waiting for delivery of a parcel, using “My o2” provider app by Telefónica sometimes to check for a better tariff plan etc.
Make a photo with Google Camera and watch/edit it thereafter with Google Photos, maybe use the eraser or crop the image. For GCam and Photos apps I have set the storage scope to camera path only: Main storage/DCM/Camera.
Two advantages of my setting:
– My owner profile is clean – no Google Play Services.
– I can save much energy (battery lasts longer) …
… because of having rarely used apps separated to a “Google-profile” I don't switch to owner profile after using it!
Instead I log off, so “sandboxed Google Play” does not have to run permanently in background, consuming energy…
Logging off makes the profile inactive so that none of the applications installed in it can be run. It also deletes the disk encryption keys from memory and hardware registers, returning the user profile to sleep mode.
In another thread of this great forum I read about no need for Google Play Services, when using GCam.
This needs a GrapheneOS update from April 2023.
I have tested it by installing GCam w/o permission for internet on my owner profile.
And because GCam needs Photos app as preview (!), have also installed Photos app w/o permission for internet.
Conclusion: works fine! GCam and Photos on owner profile with storage scope path: Main storage/DCM/Camera.