Calyx frequently spreads misinformation about sandboxed Google Play and microG. They falsely claim the microG approach avoids running proprietary Google Play code, which is untrue. Reality is you give more access to proprietary Google Play code on CalyxOS than with GrapheneOS.
Maybe I’m confused, but the microG client which Calyx runs is open source (i.e GmsCore). microG can be a user app (see DivestOS), but for a lot of functionality microG needs system privileges (ex SafetyNet bypass).
What I know for a fact is proprietary is the DroidGuard system that microG uses to bypass SafetyNet. Also of course, for providing push notifications, microG contacts Google Firebase. But this is an issue for both Google Play Services (sandboxed) and microG, and the alternative is using apps supporting something like unifiedpush.org for push notifications.
We aren’t going to build entirely unnecessary and extremely problematic privileged access for poorly secured third party like F-Droid and Aurora Store in GrapheneOS as CalyxOS does. Those apps use privileged install access insecurely… and automatic updates work fine without it.
Also, this is outdated. Calyx has already removed the F-Droid Privileged extension moved away from including F-Droid as a system app. They switched to the Basic version which auto-updates without privileged services.
F-Droid Privileged extension and Aurora Services still exist, but they are planned to be removed soon. Currently they exist for the welcome wizard on Calyx that allows users to pre-install apps.
Oh and here’s the issue regarding deprecation - Privileged extension deprecation (F-Droid, Aurora Store update handling) (#1943) · Issues · CalyxOS / calyxos · GitLab