@HarborFront @SecurityNightmares Thank you both for your thoughts on this.
Indeed, from my understanding, Aurora's store (not to be confused with Aurora Droid--an F-Droid store replacement) is just a bypass of the google authentication mechanism (it uses shared/private user accounts in rotation) to access the same download sources as Google Play store. So, in theory, it has access to the same filtering that Google does on the existing store apps.
Of course, if you get to install a malicious app before Google flagged it, all bets are off and in that case a stock Google phone wouldn't fare better anyways, as it will still be infected. Regarding other download sources for Play Store apps (i.e. apkmirror, etc.) I trust them even less than I trust F-Droid repos, since in essence you're being served an apk by an unknown server.
In this case, my recommendation would be to try out
Aurora Store (front-end for Play Store). It's opensource and the only thing it does is bypass the need for a Google account on your phone. It cannot auto-update apps it just notifies you of new updates and it also has built-in Exodus verification which would expose trackers (if you are concerned about Google) on your apps before you download them. There's also a separate Exodus app, but that's a different manner.
F-Droid's repo (their store app is arguably not the best, but there's Aurora as an alternative) is exclusively open-source software that is compiled by their servers from mostly GitHub repos and signed with their private keys, so the whole process should be reasonably secure and transparent. A big downside would be that it sometimes falls behind the dev versions with bugfixes/security enhancement as they need to be audited internally before being compiled and pushed to the repo. It's a similar situation with most linux repos that don't follow a strict rolling-release model. Security gets delayed. A small benefit would be that some undesirable features and trackers are stripped-out and you get a cleaner version of the app, but that depends a lot on the developer support. Some app developers offer their apps for both Google and F-Droid store (which require some special steps to have it auto-compiled and pushed). In any case, it's a better bet than downloading the apk from some shady website.
An alternative would be to manually download and verify the integrity of the apks from GitHub, if you don't trust F-Droid.
Regarding the antivirus, it would need access to device-admin, not necessarily root, to properly audit and protect from malicious apps, something which I wouldn't trust to any app on my phone to be honest. It breaks the whole OS sandbox and pretty much is a remote admin waiting to happen. I would appreciate a reasonable scanner that could verify the apps I have for signatures of know threats, but I don't know of one, other than Graphene's own Auditor, which is not exactly a scanner but a integrity checker (it doesn't enforce anything if it notices discrepancies).
I would expect GOS to be available for the Pixel 6 probably 6 to 12 months after it's release but that depends a lot on the changes from previous model and, of course, the all too-generous Daniel Micay not being completely swamped with work.