It's wild to me that "internet access" is not revokable or even displayed in the Play Store in stock Android. It's such a huge security and privacy concern, even if most apps semi-legitimately need it.

Or, it would be wild, if it weren't fairly obvious that this is just Google protecting their mobile ad revenue.

>no data can be exfiltrated.

Well, that depends on the other apps you have installed. Unless things have changed in newer versions, apps with no networking can still do IPC, so any app can for example use Cronet to make network requests via Google Play Services, regardless of the toggle, as long as sandboxed Google Play Services has network permission.

Any self-respecting OS has packet filtering, this isn't unique to or surprising from GrapheneOS. On my Samsung/OneUI I use AFWall+ which sets iptables rules iirc

Network permissions could be used to avoid ads on Android. The horror!