iak Apps within the same profile can communicate with mutual consent. You're using this app in the same profile as sandboxed Google Play, which provides an API for showing ads. The API doesn't permit network access so they don't mark it as requiring the INTERNET permission. Similarly, FCM only allows receiving push messages rather than sending data so they decided to use their own permission for it rather than the INTERNET permission and their own permission isn't user-facing.
For now, you put the app in a separate profile from other apps you don't want it to be able to be able to talk to. We have a planned App Communication Scopes feature to provide control over app communication within profiles too. It wouldn't really be any easier to add a special case of the feature for a specific app and that wouldn't be in the spirit of GrapheneOS. The whole point of sandboxed Google Play is that it runs as regular sandboxed apps unable to do more than other apps and controlled by the same permission model including our enhancements to it like our existing Storage Scopes and Contact Scopes features similar to our planned App Communication Scopes feature. App Communication Scopes is being actively worked on but it's difficult to implement correctly and as always we care deeply about doing things properly, not taking an insecure shortcut not providing real privacy and security as many people often propose doing.