To some extent, it's a matter of privacy vs. security. Often the two go together, but not always.
The most secure way to do it, is not use any third party apps.
If you are willing to give up that level of security (as most people are), then a slightly more secure way to proceed, is using Google Play. However, a much more private way to proceed is by avoiding Google services directly, using Aurora or one of the ad-filled services also available. Is it private? Most likely, yes, much more so than using Google Play. Is it secure? Well, not as much as using Google Play. Aurora or whatever other service you use could inject malware into the application. Or even if they operate with the best intentions, their systems could be compromised, and a malicious actor could do it without them knowing.
If you are the target of a nation-state, then this something you should seriously consider. If you just want to stop feeding Google all of your data, then this might be fine. The risk analysis is ultimately yours to do. Sandboxed Google Play on Graphine is still a lot better than Google Play on an OEM phone.
Personally, I want to feed Google as little as possible.