I've heard that GrapheneOS is more secure than CalyxOS's microG, but just from how (I think) they work it doesn't seem that way to me so I'd like some clarification.
One thing to keep in mind is that security is not the same thing as privacy, but that good security is necessary for privacy. Graphene applies several security improvements to AOSP. See https://grapheneos.org/features for examples.
With microG, you can enable Google Play Services features without ever having to login to a Google Account, so it only sends basic device information. With Graphene's sandboxed Google Servies, you have to sign-in with an account.
It is necessary to sign into Google Play to download software from the store but not to make use of the services.
Wouldn't that make it less secure?
This appears to be a question about microG and sandboxes Google Play. I believe microG in Calyx is a privileged application while Google Play in Graphene uses the standard application sandbox. Graphene's solution should be more secure. Also note that Google Play is optional in Graphene.
And with apps downloaded from the sandboxed PlayStore, would Google Services be able to track and take data from what you do on those apps?
Google will know that the applications are downloaded, but using a Google Play doesn't give Google special access to application data.
Or are they all completely separated with no inner-communication?
Applications normally don't communicate with one another except by mutual consent. I believe notifications is a common use case for this, but note that microG also communicates with Google as part of its necessary function.