crimsonpython24
crimsonpython24 1. Applications downloaded from Aurora Store/F-Droid are also completely sandboxed by Graphene and prevented of higher leverage, like those downloaded from Google's Play Store?
All apps from all sources are sandboxed the same.
crimsonpython24 2. Even if I must use a throwaway Google account for Aurora store, apps downloaded from Aurora will still leak less data than the same app downloaded from Google's Play Store?
No. Whether you download from Aurora store or Play store you are getting the exact same app. Whether you use an Aurora account or use your own account through Aurora you also still get the exact same app (both from the Play repository). This means the "app" itself doesn't leak any more or less data.
However (I am not 100% sure of this but others can correct me if I'm wrong) , when you download an app through a particular google account, it is possible for google to attach a "unique" ID number to that app which associates it with that google account. So for example if I download app "X" with an Aurora account, and then I download the same app "X" with my own account through Aurora, the "execution code" of both apps are exactly the same, however their ID's are different. So the downloaded packages are not exactly the same, but the actual app inside the package is the same. This ID may also be passed to the app itself "somehow"! (I don't know how). Therefore, it can be concluded that every app can be associated with a particular google account (aurora@gmail.com, user@gmail.com, apkmirror@gmail.com,
etc) if they are being downloaded from the Play repository. It is not possible to acquire an app without an account from the Play repository.
Shared account apps is normally not a problem, except for some apps (financial, etc) that use this uniqueness to prevent multiple installs of the same package.
So the only difference in downloading with own account or Aurora account (when downloading from Play repository) is that this ID can be known by the app and shared/leaked by the app to other places.
Downloading apps using Playstore with "own account" compared to downloading with Aurora with "own account" doesn't make too much difference from the app's privacy perspective. The difference may be that if Playstore is present and active it can send more data about your system and can engage in IPC with some apps. For more info on Playstore's tracking read the GOS faq and documentation.
crimsonpython24 So for questions 1 and 2, I believe that the download source doesn't matter for the same application as long as the source's trustworthy?
Again no. This is not entirely true. There are some difference. Some app providers provide different versions of their app for different platforms. An example of this is OsmAnd+, Geometric Weather, and Simple Gallery. Apps sometimes include proprietary third-party libraries. In these 3 apps for example the included libraries can be different depending on whether you download them from Playstore, Fdroid or from Github. In the case of Geometric Weather for example, the most blob free version is the one from Fdroid (though it doesn't mean that the other versions are bad. One simply doesn't know their implications unless you investigate).
So, the privacy of an app from a source is something you'd have to check for each app separately which is tedious task and there is no way around it.
I recommend you read these threads:
https://discuss.grapheneos.org/d/2299-install-apps-from-gplay-rep-fdoid-rep-or-githubwebsite/
https://discuss.grapheneos.org/d/2962-app-repositories-google-vs-aurora-vs-apk-vs-fdroid