> If GrapheneOS is not tightly sandboxing them

It is. HN user strcat has posted extremely detailed comments on the matter.

https://news.ycombinator.com/threads?id=strcat