I’ve been using GrapheneOS on a Pixel since 3a and thanks to continual addition of new features I’ve tried different builds. This one stuck with me the longest:
clean install of GrapheneOS
secure the internet with DNS over TLS
install Google Play services, log in with disposable acc (ideally remember credentials)
download all closed source apps (gboard, gcam, speech recognition and synthesis, etc.) and set them up online
deny Network permission for those apps (unless trusted, e.g. magic earth)
uninstall Google Play services
get the rest of the apps from App Store > Accrescent and apks (Obtainium)
create New user profile
install Google Play services, log in (possibly with the same acc)
install closed source apps from step 4. again
disable unused apps in New user profile
keep Google Play services on New user profile for updating (even disabled) apps for both profiles
I would advice against using a google pixel 3A as its no longer supported by Graphene OS and does no longer get security updates, see Frequently Asked Questions | GrapheneOS for more information.