If you want to keep using google playstore and services, you no longer will be able to use f-droid, whether google or any aosp rom. grapheneOS claims it won’t be affected given their sandboxed google play and services. Though I’m not sure if eventually google would come up with a counter measure or it won’t ever care. They want to enforce that if anyone uses their proprietary stuff the apps interacting with it must be from register developers, which automatically exclude any libre/free app storage on which developers don’t want to register to google. GrepheneOS being the exception.
If you use microG with any custom rom, I guess that might work through fake registrations, but can’t be sure. But any custom rom without google play and services is supposed to be ok with f-droid. The thing is that google knows most if not all users need one app that depends on their stuff, perhaps bank apps, payment apps, and so on…
apparmor comes with several profiles, and if in your distro it doesn’t include one for librewolf, you can use the firefox one. And if there’s no available one and you would be interested in combine it with firejail then most probably firejail will come with with a profile for firefox or librewolf and usually with support for apparmor. Regardless of the distros, the arch wiki can guide you with apparmor and firejail. I recommend becoming familiar with both. Another option if there’s no profile on your distro is to look into another distro’s profile. ubuntu used include some software with apparmor out of the box so perhaps it’s a good source of profiles…
Also in this same community there’s an old post precisely about what you’re asking for, though it’s a bit dated, you may want to scroll for some time until getting to it.