It's really not feasible to run most apps without Google Play APIs/MicroG. The most problematic issue is the notification API.
MicroG runs with elevated permissions to avoid being killed, and so that it can continue listening to socket events. Once an event arrives, it decodes it into a notification, packages into an RPC request, and awakes/runs the target application activity. Then it, crucially, uses the elevated privileges to override the default policy to also allow the target application to run without interruptions for 20 seconds (to process the notification).
I get my apps from F-Droid, which guarantees that the apps are open source, free of most "unwanted features" (ie, not malware), and don't depend on google play APIs. Apps written to the F-Droid standard don't use Google Play APIs for notifications. I acknowledge that most people want to run closed source apps from the google play store, but I consider those apps untrustworthy, and what I do won't work for most people.
The specific privilege that MicroG wants and that GrapheneOS doesn't allow is the ability to spoof the signatures of other apps. GrapheneOS runs the Google Play APIs in a sandbox, and this sandbox allows push notifications to work, so that's not the problem with MicroG from a GrapheneOS perspective.
I just really wish they would just allow microG, sandboxed in the same way as Google services (like DivestOS does), behind as many security warnings as they see fit.
The DivestOS project put stronger emphasis on device longevity and on libre ("free as in speech"), so their microG implementation was just a better fit for their case.
I can explain. The first link actually contains multiple comments -- the complete discussion is linked.
For a specific example within it, it does explicitly state "17.1 and higher have an unprivileged microG feature now: https://divestos.org/pages/faq#appCompatibility" in 2023. The comment was by the DivestOS project author.
The second link, also from 2023, starts with "Latest release of my DivestOS can now run microG in an unprivileged manner:" -- also by the DivestOS author.
I think that covers it for your reading of the links, no?
Anyway, the DivestOS project did have an implementation of microG, and it was sandboxed. As for my comment about projects goals, I also selected those two links because both include such commentary about DivestOS' implementation in relation to project goals and to the GrapheneOS implementation.
Thanks for clearing that up. I should've read your post more closely. To be honest I never checked the second link because I follow the Android privacy/security scene pretty closely and I was already pretty confident that if DivestOS added support for that I'd have already heard about it. My bad!
MicroG runs with elevated permissions to avoid being killed, and so that it can continue listening to socket events. Once an event arrives, it decodes it into a notification, packages into an RPC request, and awakes/runs the target application activity. Then it, crucially, uses the elevated privileges to override the default policy to also allow the target application to run without interruptions for 20 seconds (to process the notification).