(Rethinkdns) does however support sending network traffic to a VPN using the wireguard protocol.
Ok, so I have PIA. How do I get it to work through that? As I understand it, you're saying something theoretical.
Theres various ways you can mitigate potential risks
Not if it's a file manager or a keyboard or tv controller or drone or LAN IoT monitoring device. At least you didn't give any applicable actionable points.
There are various well documented methods that a malicious app could use to work around the methods you are using on your rooted afwalled device to try to restrict them from exfiltrating data.
With the xposed framework and root and firewall you can do your own testing, and run exploit test apps and verify yourself if you're airtight in a given configuration on a particular phone and usecase.
select apps made by developers that are more trustworthy
I wasn't suggesting not to use apps AT ALL
Yeah I got that - and I pointed out that it is 100% impossible to access entire classes of apps - e.g. there are 0 (zero) smart tv apps that are not invasive. And I also pointed out we have the option to deny all network for good reasons -- e.g. a keyboard app should 100% of the time be denied access to any internet, NO MATTER HOW MUCH YOU TRUST IT, even if the current version doesn't request network access at all - there's too much keylogging risk.
To be clear, I'm not demanding GrapheneOS implement and maintain some firewalls or whatever. But wee need some exposed ability to control the WAN.