As your question is vague, I broke it down into 2 questions for you:
a) “If Graphene is flashed, how can a backdoor in the Google hardware exist?”  
The answer is that all hardware uses firmware which operates at a lower, more base level, than an operating system.  This firmware could potentially communicate to remote actors.  This could potentially be EVALUATED through WiFi to a router you control, but can not be even evaluated if it goes to cellphone towers.  It also could potentially communicate even right under your nose of a FOSS router firewall, if you go to “google.com” and some hidden data exchange takes place with SSL encryption to the right domain.

b) “If google’s push notifications are enabled, how can this google service get to the hardware identifiers on the device?”  The answer is that the sandboxed google push service prevents it from getting to the hardware identifiers IN THEORY. 

 I think my question was clear enough. 

In any case, you base your reply on assumptions; assuming this, could be that etc. Have you seen this been discussed by GrapheneOS developers? Have you contacted them to get their take on this hardware-firmware backdoor? 

 There’s not much they can do on a google hardware backdoor other than not use google only and support other phones.  But we are not officially involved with their decisions, this is just commentary in general 

 For sure. They could have phones observing their behavior over time. This is what they could do for example. Maybe they have done so. That is the reason of my question to you as an advisor of privacy.  

 even if you contact them, they wouldn't know due to the closed source nature of the hardware.