It does, don't remember the details but at one point I let a packet capture tool on my phone run for a few days and checked which apps phoned home. Gboard was one of them. You'd besurprisesd at the amount of network traffic for most apps between 2-4 am.
Just remove its network permissions, and it works fine (without the phoning home part) AFAIK other spell checkers / autocomplete aren't quite there yet
Graphene user here ! The privacy and security gains are quite huge. Play services are more or less regular apps, with the sandbox offering limited access. Some of the "advanced" security offered by graphene triggered a few times for me, sometime highlighting something sketchy in some apps.
Also, you can disable the internet permission for apps, which can effectively block a lot of stuff (ex : you install a supposedly offline game, but it stills asks for the permission: denied).
If your main concern is not depending too much on Google, your options are limited, and very, very flawed depending on how far you whish to go (went far down this rabbit hole, came back). One less "extreme" way, using graphene, is to install play services and everything dependent on a separate user account, and clone app from this account to the one you will use. Since alternate accounts are sandboxed and not running when not logged in, when you use your phone from the main account, you will effectively be almost goggle free.
Almost, because the main remaining privacy hole is notifications. A lot of things goes through GMS in order to reach your phone without melting your battery