Hi there! Welcome to the forum, @Jegah!
You have a lot of inquiries here, so allow me to address these point-by-point:
1. What is the current stance on running “bad” apps without internet access?
Let’s get one thing out of the way. The Network permission that GrapheneOS adds works. It isn’t leaky or faulty, so it’s enough. However, having a bit of context and insight into how Android works will help you make the appropriate decisions for your needs.
If you deny the network permission to an app (let’s take Google Camera as an example), it cannot communicate with the Internet. However, apps on Android can communicate with each other via mutual consent. In very simple, and non-technical terms, here’s what this means:
If two apps mutually consent to talk to one another, they can do that. If you have Google Camera and another app in the same profile, if both of these apps agree to communicate with one another, and the other app has network access, it could theoretically have data passed on to it from Google Camera which it can then send to the Internet.
This is not really a concern in most cases, however, notice how I said that these apps need to be in the same profile. To mitigate this concern, you can separate apps that you think may communicate in their own user profiles. App communication via mutual consent is not possible across profiles.
2. If it is enough, what is the recommended way to download closed source apps like that on GrapheneOS?
GrapheneOS recommends Play Store via their Sandboxed Google Play compatibility layer. it is a great choice when it comes to security. There are privacy drawbacks (or at the very least privacy annoynances) with this approach, as you’ll need to create a Google account to use it, but you can create a disposable one with minimal information just for this purpose.
Aurora Store is okay, but it is not perfect. I would say it’s currently one of the best solutions on DivestOS (which lacks Sandboxed Google Play), but not GrapheneOS.
I will address this specifically because I feel the need to stress this: Please don’t.
You should always stick to official versions of apps and not “modded” or “hacked” versions. You simply do not know what you’re downloading and it may be much worse than just getting the official app.
On Google Camera specifically, you should avoid installing “Gcam Services provider” and instead download GSF from GrapheneOS’s “Apps” app instead.
3. What about open source apps that have alternative ways to be downloaded?
For reference (especially to people who are not the OP who stumble on this thread), here are our recommended ways to obtain apps:
Obtaining Applications on Android - Privacy Guides
We currently recommend avoiding the main F-Droid repositories, as well as the IzzyOndroid repository.
The issues with the main F-Droid repository are well documented. While IzzyOnDroid is mostly an improvement compared to the default, we cannot recommend it as apps can be removed from that repository, leaving you without updates, and sometimes the repository’s maintainer makes a lot of other peculiar choices such as only distributing 32-bit versions of apps because of storage concerns. (Joplin on IzzyOnDroid is an example of that)
You can theoretically use F-Droid repositories by developers directly (such as NewPipe), but I would recommend that if you can obtain an app a different way, you should opt for that instead of getting sucked into F-Droid’s ecosystem. Furthermore, there are issues with app stores allowing for multiple third-party repositories which are briefly touched on here:
Vanadium is a great browser, and it’s what I use on GrapheneOS. The reason why we don’t recommend it on our Mobile Browsers page is because it’s GrapheneOS exclusive.
Vanadium is mostly focused on security, and it takes advantage of OS hardening to do that. Brave is a fine choice, and it does offer fingerprinting protections that Vanadium doesn’t. It’s up to you which you’ll choose for you use case, but Vanadium takes the cake when it comes to a robust, secure and minimal browser.
I hope this answers your questions. Feel free to reach out again if not. Furthermore, I would highly suggest signing up to the GrapheneOS forum as well: https://discuss.grapheneos.org/