So, the point here is to degoogle, yet you need certain apps that require google services.

What I and many others do is have a clean (i.e. no google services) main profile and a dirty (has google services) secondary profile. Put your needed apps in the secondary, live in main, and it's two swipes and a tap to get to your apps in secondary. Best of both worlds. Over time find replacements that work in your main, congratulations, you're now degoogled on your phone.

You don't install the apps "sandboxed". You can install the Google services like any normal app (in the "Apps" app). The Google services will then only have very limited permissions, for example they won't be able to see your location, camera, contacts etc. by default and you can grant these permissions like to any other app.

The only thing that changes is that you have the option to install Google services and that you have the option to grant them permissions they would have limitlessly on a "normal" Android phone.

Your four mentioned apps should work on GrapheneOS without any problems, the only apps I had difficulties with were banking apps. The Google Play Store won't be installed by default though, so you will need to install it in the "Apps" app. (I recommend using F-Droid to find alernative apps, although you won't find something like Clash Royale on there. If you don't want to use a Google account, you may want to look into Aurora Store (it provides anonymous access to the Play Store), which is also available of F-Droid)

I personally still use Firefox (Mull to be exact), because Vanadium doesn't seem to have any good way of blocking ads. I found this on the internet in some R*ddit comment:

Chromium-based browsers like Vanadium and Bromite provide the strongest sandbox implementation, leagues ahead of the alternatives. It is much harder to escape from the sandbox and it provides much more than acting as a barrier to compromising the rest of the OS.

(Long version of the above quote: https://grapheneos.org/usage#web-browsing)

Idk what those apps are but if your work requires them, then you should have a separate work phone that runs whatever your boss wants it to, and your own phone that is degoogled. You want the separate phones for other reasons too, like if there is a problem at work and they need the phone, they get theirs and not yours.

Otherwise, find substitutes for those apps if you have to.

Preface: I haven't used GrapheneOS personally, but I've learned as much as I can over the past year. I'll try my best.

If I installed these exact apps “sandboxed”, what exactly does that mean from a user standpoint? Will I have to use a separate account, reboot my phone, etc, or is it a quick process to use the app?

Sandboxed only means apps don't communicate with each other* and that if one got breached your entire system remains untouched, only the app gets affected. Installing and using apps is the same as normal Android, no extra steps involved. If you want, you can create a separate profile for "unsafe apps", but this is by no means a requirement and only ensures that if that profile gets breached the other profiles are untouched (profile sandboxing). Rebooting your phone is good practice after installing any software on any device, because some apps need a restart to complete the installation. It is not a requirement. To summarize: Just install the app, open it, and you're done. Apps are sandboxed by default.

Edit: The only thing you have to do before installing apps that rely on Google Play Services is to install Google Play Services in Settings (somewhere). This only has to be done once per profile.

*There are some exceptions, but for simplicity we'll stick with the textbook definition.

Is there a list of apps that I could browse to find equivalents to the above? Recommendations here are also ok.

AlternativeTo is a good place to find alternatives for certain apps.

I saw that Firefox isn’t exactly private(?) and that Vanadium is better in that aspect but I don’t understand why. Can someone ELI5, and help me see if this is a relevant concern for me?

This goes back to sandboxing. Basically, Firefox doesn't play nice with sandboxing. That means if Firefox gets hacked there is a greater risk of infecting the entire phone (which wouldn't happen with proper sandboxing). Vanadium has proper sandboxing, since Chromium (what Vanadium is based off of) was made for Android.

Think of Firefox as a metal crate with a few small holes poked in it. Those holes aren't a huge concern, since it would take a very skilled person to climb out of the crate through those small holes, but having holes in the first place is not great since it risks letting a person out of the crate. Chromium is a metal crate without holes, no risk of anyone getting out of that box, no worries.

Cheers!

Been usin graphene for a while now i reccommend find as many of your apps on fdroid (i use the neostore frontend for fdroid) then use aurora store for apps on google play. U can install google services from the graphene apps and then u can grant that permissions as u need. I use firfox developer edition cos i need my desktop plugins on mobile. Have had no problems running any apps if ur worried abt google services make a second profile and install it on that profile to further seperate google relient apps.