Where and how are installed apps stored?

ryrona If I have the same app installed in two user profiles, and update the app in either, would it automatically be updated in the other too? Even if the other user profile hasn't been unlocked yet?

Yes.

If update is synced like that between user profiles, in which user profile or where is the app (APK, not user data) actually stored? With what PIN/passphrase is it encrypted with?

Apps are installed system-wide which means the data/apk is stored in a system directory of some kind - either /system/app or /data/app according to a quick internet search (apologies if this is not correct). If the data/apk was encrypted by anything, it would be the Owner profile. User data would be encrypted by individual profiles I imagine.

My threat model includes that no one getting physical access to my device must be able to see what apps I have installed.

Sorry to be the bearer of bad news then. Apps can always be seen on Android. Its a fundamental part of how Android works. Apps cannot be "hidden".

ryrona

This is what I see on my phones:

Primary Profile: settings/app-info shows all apps installed, on all profiles.
This makes sense because the primary profile needs authority to delete a secondary profile (and hence any apps + data installed by that profile). Such 'secondary profile apps (SPA)' show in the PP as 'Not installed for this user'; for such an app, from the PP>settings>AppInfo>App>top right corner you have the option to uninstall the SPA for all users.

Secondary Profiles: settings>AppInfo shows only the apps installed by that profile or pushed to that profile by the Primary Profile.

ryrona If I have the same app installed in two user profiles

Have you actually tried this with two Secondary Profiles? Someone here did have an issue when they were trying to do similar:
https://discuss.grapheneos.org/d/12091-app-not-installed-as-package-conflict-with-an-existing-package and @other8026 fixed it for them.

I have installed apps in the Primary Profile with Sandboxed PlayStore, when they were already installed in a Secondary Profile with Aurora. This was very nice because that app in the SP was updated with the latest PlayStore version and now showed PlayStore as the origin not Aurora. In both profiles the first install date shows as the Aurora first install date.

I think you will find all profiles are using the same app install in the same place - probably based on the (unique) reverse dns name like com.android.deskclock. Some people here do have different versions of apps installed but they are using a third party 'work profile' app to achieve this; not the GrapheneOS provided mechanisms. Perhaps you will need to look at this if you want to hide app installs in a Secondary Profile.

AOSP/GrapheneOS is likely to be using some combination of fscrypt / namespaces / uuid / selinux such that a Secondary Profile has no permission to see or access an App in an app folder until either the app is pushed to it from the PP or installed by an app store in that SP.

https://source.android.com/docs/security/features

ryrona

App APKs are stored in:

/data/app/

App data is stored in:

/data/data/

Also known as/

/data_mirror/data_ce/null/0/
and
/data/user/0/

I just made another user, and I can't see any of their app data in my primary user. There is no /data/user/1/ or anything like that. In the secondary user I see app data under just /data/data/ but it is different app data than for the primary user.

You won't have any access to any of these parts of the file system, except for the app data for an app, while you are in that app. You need root privileges or to be on a debug build like I am right now. A debug build is NOT for daily use however, it is compromised when it comes to security!

Hope this helps!