6gsxdr3U I presume that the exploit would operate with the same permissions as the compromised app.
At least to start with.
6gsxdr3U Would the sandboxing mechanism of GrapheneOS prevent the payload from escalating [its] privileges further?
That's the idea! But it's not possible to provide precise answers when the question is "Exactly what would happen after something happens that isn't supposed to happen?".
If an evil image can result in code execution, that's RCE ("remote code execution"). The next question is "how much code can be run, in what context?". If it's only a little code, but the little code can open up a network connection and download more code, that's bad.
6gsxdr3U How would the app-specific permissions come into play? For instance, if the vulnerable app had not been granted any network-related permissions, and the payload is loaded manually, e.g. by opening a file (payload) from disk within the messenger app - would the permission system prevent the exploit from establishing a connection once it is executed?
That's the idea! But if the RCE is coupled with a privilege-escalation attack, then maybe the code can take over more than just the one application.
Would hardened_malloc provide additional complications for an attacker, trying to craft a payload?
That's the idea!
I've read that this WebP attack was carried out by NSO, i.e., a highly-skilled and well-funded attacker. Highly-skilled, well-funded attackers (including the governments of North Korea, China, the U.S., etc.) are good. It would not be surprising if NSO had a full-time staff member searching for Android privilege-escalation attacks to be deployed any time an RCE is found. It would not be surprising if some APT had a full-time staff member dedicated to GrapheneOS vulnerability research.
Good vulnerabilities are worth a lot of money, so a good one may be deployed judiciously against a small number of high-value targets, rather than against "regular people". So if you are a regular GrapheneOS user, the increased security of GrapheneOS versus baseline unpatched Android, plus you not being a high-value target, may put you in a good place. But if you are a high-value target then you'd better be deploying good opsec.
A lot of people are running old versions of Android that have lots of known vulnerabilities. You may wish to avoid doing that. GrapheneOS chooses devices carefully, and issues security updates promptly, and doesn't ship a lot of convenience-only features, and drops support for old devices -- because skipping any of those adds a lot of risk.
Please note that I don't speak for the GrapheneOS project.