Best tip i can give you is this…

https://discuss.grapheneos.org/

Make an account there and find all your answers. The community is VERY knowledgeable. Good luck

1. Not sure on this one.

2. The auditor is to make sure you are installing an authentic version of graphene. That it is not a modified version that has been tampered with (e.g., backdoors).

3. Automatically enables MAC randomization. This can help with being tracked on public networks. Fingerprinting techniques have gotten better though with deep packet inspection and even measuring radio characteristics. I’ve seen demos of two brand new and identical models of iPhones being distinctly picked out due to variances in the radios during manufacturing.

Doesn’t help with advertisers tracking behavior based on IP. VPNs help with “blending-in” by putting multiple users behind the same IP. Provider matters here. Needs to be a VPN provider that won’t just sell your data or cave to law enforcement. Mullvad is my preference. Paid with crypto. RAM only logs. That said, use Tor or I2P for anything you don’t want subpoenaed.

For additional tips:

• Can’t remember if its on by default, but auto-reboot to put data at rest (encrypted and not in RAM). This is for a state-actor threat level, and less about advertisers.
• I prefer pin codes to unlock my device and don’t use biometrics. Graphene has a feature to randomize the pin pad every time to protect against a recording of the pin be entered. Specifically where the numbers aren’t picked up on the video but the pattern your hand makes can be seen. Again, more of a state-actor threat level.

Tracking protection on every app is best done via custom DNS. Since you successfully installed graphene OS, you can probably follow instructions well enough to set up a few DNS servers.

Personally, I have a few adguard -> unbound (unbound set as a recursive resolver) and then adguard set up with block lists at varying levels of strictness.

1. A very lax instance for my router as to not break the internet for anyone on my WiFi.
2. A few setup strict for my devices (phone, TV etc). Personally I keep the TV on a different instance as its super chatty and I don’t want it muddying up my stats for other devices
3. I have a separate one that services my IoT devices

If you don’t feel like setting up adguard/unbound you could use nextdns or adguard hosted, but local control gives you the most configurability and privacy, depending on your threat model.

Edit: unsure why I’m being down voted. All duckduckgo is is an app that acts as a VPN and blocks traffic to trackers. Why use their blocker when you can use your own, and have it for all of your devices, not just your phone?

This “app tracking protection” is just a DNS filter. You can achieve the same by setting a filtered DNS resolver like base.dns.mullvad.net in the Private DNS options.

Auditor just verifies that your installation of GrapheneOS is real and unmodified, meaning it hasn’t been tampered with by an attacker or corrupted in any other way.

I would recommend using a VPN. That’s also why I prefer the DNS filter over something like app tracking protection, since it doesn’t occupy your VPN slot. GrapheneOS only improves the actual Wi-Fi connection privacy (by randomizing your Wi-Fi MAC address), but it has nothing to do with the data transmission over the Wi-Fi network. That’s what you need a VPN for. You can check out this comment about the Pros and Cons of VPNs, as well as the criteria for picking a good and trustworthy VPN provider: https://lemmy.dbzer0.com/comment/15631872 Here’s some more advice about VPNs: https://www.privacyguides.org/en/vpn/

1 i prefer netGuard but trackerControl, which is based on netGuard, seems to be what you’re describing there

3 when you write “my wifi”, to what do you connect your phone to?