GrapheneOS fully supports the Private Space feature in Android 15, which is essentially a separate user nested inside of the Owner user.
We strongly recommend it as a replacement for a work profile managed by a local profile admin app. It has better OS integration and isolation.
Private Space is an isolated workspace (profile) for apps and data similar to both user profiles and work profiles. All 3 forms of profiles also have entirely separate VPN configuration which is very useful even if you connected to the same VPN, since exit IPs can be separate.
All forms of profiles have separate encryption keys. You can keep a Private Space at rest while the Owner user is logged in just as you can with a secondary user.
Private Space makes it easier to share data than users. The clipboard is shared, but we could add a setting for it.
GrapheneOS users choose to use the OS in different ways. A lot of people largely use open source apps and not sandboxed Google Play. Others use sandboxed Google Play in their main profile. Many use sandboxed Google Play in a dedicated profile to choose which apps use it.
Regardless of how people choose to use sandboxed Google Play, they’re regular sandboxed apps without special access. Private Space makes it easier to use a dedicated profile for sandboxed Google Play though.
It’s also worth noting you can still use a work profile alongside it.
All of our features including Contact Scopes, Storage Scopes and sandboxed Google Play have full support for Private Space. We added support for it significantly before the release of Android 15, even before the initial early release of the source code was published in September.
This is common with bank apps. They basically use google as their security instead of programming their own. That’s typically why people run a secondary profile with play services enabled.
I havent tried gos yet, but afaik users can enable play services in a sandbox without using a different profile. Are you saying there’s another way to fully run play services so sensitive bank apps will work?
GOS play services are sandboxed by default, it’s how they implement it. The sandbox just keeps it from having full system root integration so its not in everything by default like normal android. It still is full play services though.
What I’m saying is that if you don’t want that on your phone but you do want to use apps that rely on it then you can set up a secondary profile. On the second profile install play services and any apps that need it. That way its segregated from your main activity. Other profiles are essentially viewed as their own phone installation so they dont talk to each other.
Oh ok. But just to be clear (IIUC) if the app uses or requires Play Integrity api, it won’t work in GOS even if I use a 2nd profile for play services?
Correct, if the profiles are separate. They only share key hardware aspects (like WiFi and Bluetooth settings). The profiles can not talk to each other.
So if the first profile does not have google services it can’t run anything that relies on it even if a second profile has google services installed. For all intents, they are “separate phones”.