GrapheneOS isn't a product or a business. It's partnership between a non-profit organization (GrapheneOS Foundation) obligated to pursue the defined mission and a for-profit Android OEM making hardware. It's not a for-profit venture from the GrapheneOS side.
There are no closed source components in kernel space for Pixels and won't be for other devices we support either. Hardware and firmware is closed source in practice for all modern computers. Open source doesn't mean something is inherently more private or secure. In the case of hardware, you also can't verify it matches the sources in a similar way as software.
Firefox has poor security, but especially on Android where it doesn't implement sandboxing yet let alone site isolation. It has much worse exploit protections and other security protections than Chromium-based browsers.
Using web apps over native apps makes sense for reducing their access but has privacy downsides too such as trusting the servers rather than having signed releases able to provide more meaningful end-to-end encryption. Not everything can be done with web apps, especially in Firefox where there's no WebUSB, etc. as alternatives to installing native apps providing much less access to other things beyond what's required. For example, Firefox can't be used to install GrapheneOS on a device via the easy to use web installer due to lack of WebUSB despite Mozilla coming up with the early version of it as part of FirefoxOS.
There are no closed source components in kernel space for Pixels and won't be for other devices we support either. Hardware and firmware is closed source in practice for all modern computers. Open source doesn't mean something is inherently more private or secure. In the case of hardware, you also can't verify it matches the sources in a similar way as software.
Firefox has poor security, but especially on Android where it doesn't implement sandboxing yet let alone site isolation. It has much worse exploit protections and other security protections than Chromium-based browsers.
Using web apps over native apps makes sense for reducing their access but has privacy downsides too such as trusting the servers rather than having signed releases able to provide more meaningful end-to-end encryption. Not everything can be done with web apps, especially in Firefox where there's no WebUSB, etc. as alternatives to installing native apps providing much less access to other things beyond what's required. For example, Firefox can't be used to install GrapheneOS on a device via the easy to use web installer due to lack of WebUSB despite Mozilla coming up with the early version of it as part of FirefoxOS.