GrapheneOS developed our sandboxed Google Play compatibility layer to provide support for running Google Play as regular apps in the full standard app sandbox. They work like any other apps and can't do anything that a regular user installed app can't do. Since they're regular apps, all our work on improving the app sandbox and permission model in a compatible way applies to them. For example, you can revoke our Sensors toggle from them (or even Network, but that would prevent using their services, which many apps depend on for real use) and can use Storage Scopes instead of granting any storage permissions, etc. In practice, you don't need to grant any permissions to Google Play when using sandboxed Google Play. Our location rerouting feature reimplements the Play services geolocation API based on the standard AOSP location API based on GNSS (GPS, GLONASS, etc.) + A-GNSS. If you really want to use Google Play network location, it's possible, by granting background location access to it, enabling their network location toggle and disabling our location request rerouting feature. We plan to provide more of these rerouting features in the future when it makes sense.