If you want to be sure you cant be tracked, monitored, spyed on, and calls can't be intersepted:

Don't ever connect it to WiFi and don't insert a sim card.

Graphene or not, your ISP can still share your position or other meta data with government and stuff (in the us they can also be forced to not tell you) - in some countries they legally sell to third party's, in some probably illegaly

Calls are normally not encrypted so the os doesn't matter as much if its the government who can force your ISP or if someone is skilled enough for a Man in the middle attack.

Android is a highly complex system, it will never be 100% safe.

If you just want to decrease spying by companies and less powerful people:

Use neo store or fdroid (no google play or aurora) as all apps there are Foss

Don't install gapps or any other google services/packages

Use shelter for less trusted apps

Use netguard to block apps from accessing the internet

Physically block your cameras

If you want to be absolutely sure no one is recording audio: destroy mics with a needle and connect headset only when you need it

To only use communication apps which are encrypted and you hold the keys should be not needed to be said: matrix, signal, element, xmpp are good, (telegram (normal chats), Facebook, WhatsApp etc is a no go)

First off, and most importantly, it is not an anonymous phone.

The phone is tied to your location, your identity with your cell phone carrier, the IMEI, the IMSI, many identifiers you will not be able to change. From a threat modeling perspective, you cannot be attached to a network without tracking, interception, and monitoring.

You can use your phone in a way to minimize third-party tracking, and unnecessary data leakage. You did a good job by installing graphene OS.

Just be mindful of the applications you install on it, if you install sandbox Google apps, just realize Google will still have access to your location and push notifications etc.

If your threat model truly includes not being observed, disable the cell phone part of the phone. Only use the phone via Wi-Fi. That'll reduce a lot of the risk surface

It will never be any of those things.

If you want to get close as possible, this is going to be a LONG conversation and has less to do with the device and more to do with how you use it and what sacrifices you're willing to make.

I'm going to pivot this answer, to the more general: what's good data hygiene for my phone?

No specific threats, but what's the easiest things I can do to regain as much privacy and autonomy as possible.

Using graphene OS is great, good job.

Using always on VPN, like mullvad.

Set up a work profile, and install Google services inside the work profile, you can use shelter to do this. Then anything you need that requires Google, like Google maps, Uber, Lyft you can use it from that profile.

Use a secure messenger like signal, or simple x, with your friend group. To prevent metadata and unencrypted cell phone calls from leaking

I highly, highly, highly recommend you read privacy guides https://www.privacyguides.org/en/

Start with the basics. Use a VPN preferable a good one payed in crypto /XMR or cash. Use Foss apps only check out F-droid.

Also one that blocks malware and ads. If not use adguard.dns or other that filter traffic

Settings , disable 2-3 G if you always have access to 4-5 G .

Don't change add browsers use vanadium. No gapps obviously.

The more challenging is to just use it as WiFi phone without SIM.

I use TrackerControl (f-droid).

It's an app that can turn off entirely internet access to an app or granurarly tweak which domains can comunicate with.

Its still being tracked even with gos. Just maybe Google isn't tracking you.

For example, using Aurora Store and Obtanium instead of Google Play and avoid enabling Google Play Services.

Congratulations on your first steps in GrapheneOS!

In order to best help you and give relevant suggestions, we need more information of who you are trying to be private from.

If your threat model is particularly sophisticated, it may be recommended that you do not use a sim card, or at least never when your phone is at home. Instead, exclusively rely on WiFi. It may also involve desoldering your microphone and camera and only make calls using an earpiece.

These are not recommendations, but simply examples of how far one can go with respect to their threat model. If you would rather want to avoid "regular" spying by google, Facebook and the likes, you may be better off selecting a private DNS (for example Mullvad's extended DNS which comes with social media filtering https://mullvad.net/en/help/dns-over-https-and-dns-over-tls ). You would need to make sure you do not install Google services (nor microg) and especially no google apps.

Much more can be said, but we would need specific information about your case to provide better guidance.

EDIT: I do not want to give the impression that GrapheneOS does not make a good job in improving your situation already. They do! But to do more you would need to justify it with your threat model, that's what I'm getting at.