yes, graphene's playstore sandbox is good and but it's not optimal to get your apps from google whenever possible. here's a good flow for getting aps:
apk > f-droid (use f-droid basic for unattended updates) > google play store.
1password is not open source. i recommend bitwarden paid version (it's cloud based so depending on your threat model) and keepass. they are both rock solid open source password managers.