A lot of what Graphene does over the Stock OS is contain Google Play Services to the regular App Sandbox that any other user installed app has to do, outside of the security improvements they add to the OS. API calls might change because of how they have to handle Google Play Services, but restricting the amount of access that Google Play Services has to your entire system activity is a net win for privacy and security for my threat model