To my knowledge you have some proprietary firmware blobs, drivers, HAL and the Trusted Execution Environment shipping with GrapheneOS. But replacing Pixel's stock Android with GrapheneOS doesn't expose you to more proprietary components but instead reduces it (by sandboxing Google Play Services for example) and improves upon Android security overall (memory allocation, etc).

So yeah, GrapheneOS isn't 100% OSS, as far as I'm aware. But it doesn't expose me to more proprietary stuff like Jolla would.