VAULT I was happy to test, but I guess I don't test any more unless I wipe everything with Exp V3...
The general principle is that if you sideload an OTA image signed by the same key that signed your current OS, and the image is newer (in a version-number sense), then Recovery will accept the OTA image. Likewise, if the system updater fetches an OTA image signed by the same key that signed your current OS, and it is version-number newer, it should install via reboot (I think the installation goes through Recovery as well).
Wiping your device is necessary to install an OS which has a different signer than your installed OS, or that has the same signer but is older (in a version-number sense). Recovery will reject the image in those cases as potentially being malware or a downgrade attack.
None of the computations about what is legal to install are based on release channel labels (experimental, alpha, beta, stable) -- those tags control what gets downloaded for install attempts, period. The images themselves aren't tagged as alpha or beta, etc., and in the standard case a single image is first downloaded by alpha devices, then alpha and beta devices, then alpha and beta and stable devices.
In other systems you might have a beta-release kernel that has more logging than a stable-release kernel later built from the same source, so the beta-release kernel would be a different image from the stable-release kernel. But that is not how GrapheneOS releases work at present.
Please note that I do not speak for the GrapheneOS project.