Right. IPC is not something that can be controlled in permissions. It's just something that Android apps can do.
Also, yes, your example about the 5 apps is correct. App 5 simply cannot communicate with apps 1-4.
I don't know how to answer the other questions briefly...
The truth is there are ways to communicate out of the sandbox, mostly by exploiting permissions apps have (like storage, microphone, sensors, or internet). Any permission granted increases attack surface. In practice, the sandbox and restricting apps' permissions to only what they actually need is all you need to do. An app with no permissions has no way to communicate out of the sandbox. Being smart with permissions makes these ways infeasible to impossible.
For general use, the sandbox is sufficient. Using a web app is even better because there would be two sandboxes (and no permissions to worry about). Companies like Facebook wouldn't bother trying to get around the sandbox. They won't try to get access to what they can't access easily. There are tons of easier targets, like people who willingly give access to everything.
Profiles aren't necessary to further sandbox anything. The only real difference is no inter-profile IPC and apps can't see what apps are installed in other profiles. They're primarily used as separate "workspaces," like I mentioned in my last post, but if someone wanted to be extra careful, they could use profiles if they wanted. The best way would be to have nothing installed on the owner profile, then use other profiles one at a time (not leaving multiple running at the same time). This way it's almost like having different phones. It would be completely impossible for apps to communicate with each other considering any hypothetical, impractical, or whatever methods. It's not necessary to put so much effort into this, but it all depends on a person's threat model.
It would probably be helpful to read pretty much everything on GrapheneOS's features page. Each of those features, including security features, aren't included in Stock Android. Other than further hardening the sandbox, GOS does much more to keep us secure.