Compartmentalization

haddock

Hey there,
i just installed GOS and i am trying to figure out my compartmentalization. I was thinking of keeping the owner profile degoogled with only trusted open source apps.
Now I do want/need to install some apps that are only available on playstore. As far as I am concerned, aurora store is generally not advised for security reasons if your threatmodel doesn't require it. So I would have to install SBPS on a separate profile or the work profile. I have some compartmentalizations in mind and wanted to ask which ones you think makes sense. Trying to find compromise between convinience, security and privacy.

Variant 1
Degoogled Owner Profile with FOSS apps
SBPS in Work profile with all playstore apps

Variant 2
Degoogled Owner Profile with FOSS apps
SBPS in work profile with non-tracker apps (banking, Libby, magicearth)
SBPS in seperate profile with Playstore apps that use trackers (Spotify, WhatsApp, DBnavigator (Germans will know), ARD, DLF, Jelbi, Gmaps))

Variant 3
Degoogled Owner Profile with FOSS apps
SBPS in work profile with non-tracker apps (banking, magic earth)
SBPS in seperate profile with Playstore apps that require login (Spotify, WhatsApp, Libby, nextbike, jelbi, DBnavigator (Germans will know))
SBPS in separate profile, no login required ARD, DLF, Gmaps

Variant 4
Degoogled Owner Profile with FOSS apps
SBPS in work profile with non-tracker apps (banking, magic earth)
SBPS in seperate profile with Playstore apps that require GPS to work (Nextbike, Gmaps, Jelbi, DWD)
SBPS in separate profile, no Playservice required( Spotify, WhatsApp, Libby, ard, dlf, DBnavigator (Germans will know))

Questions

Is it worth the hassle to have up to 4 profiles at the same time?
Which variant would you think is effective/worth the hassle?
Does it make sense to try to use an anonymous google account?
If I use a Playstore profile anyway, is it recommended to download FOSS apps that are available there into that profile?
Where should I place my Health Insurance App? Sensitive Data, but also trackers - i might just not use it at all...
Do you have a different proposal?

Tl;Dr
Trying to figure out compartmentalization. Is the hassle worth it?
Ideas:
1: owner: FOSS/work: playstore/playservice
2: FOSS/non-tracker playstore/tracker playstore
3: FOSS/non-tracker playstore/tracker playstore login/ tracker playstore no-login
4:FOSS/non-tracker no play services playstore/tracker+play services req+login/ tracker+play services req+no-login
Any other proposals?

best regards
haddock

Dumdum

haddock

Is it worth the hassle to have up to 4 profiles at the same time?

Personally, not really. Unless GOS changed it, you can only have Owner + 2 user profiles open simultaneously anyway so juggling the profiles is most likely tedious. But the choice is yours.

Which variant would you think is effective/worth the hassle?

Variant 5
Degoogled Owner with FOSS
SBPS in separate profile with all PS apps

Does it make sense to try to use an anonymous google account?

Again not really. Will probably stop being "anonymous" at some point anyway. The choice is yours.

If I use a Playstore profile anyway, is it recommended to download FOSS apps that are available there into that profile?

You're already downloading FOSS apps into your degoogled Owner. So if you're using a separate user profile for GPlay, just use Install Available Apps (Settings > System > Multiple profiles > (user profile) > Install Available Apps) to push the app into that profile.

haddock

Dumdum
Thank you for your opinion!

You're already downloading FOSS apps into your degoogled Owner. So if you're using a separate user profile for GPlay, just use Install Available Apps (Settings > System > Multiple profiles > (user profile) > Install Available Apps) to push the app into that profile.

I was being a bit unclear, sorry. I ment, from a security perspective, would it make sense to install and use FOSS apps that are available on Google Play Store only in the secondary profile with playservices?

Dumdum

haddock
So, for example, install Fossify apps from GPlay in the Gplay profile but install Heliboard from Github in the FOSS profile?

I suppose, sure? But that would only really work if you wanted the Fossify apps in the Gplay profile only. If you want the Fossify apps in your FOSS profile as well, then you'd have to download them from Github (or Fdroid) anyway since you can't push the apps from Gplay profile to Owner.

The only other thing I can suggest is what a number of GOS users, myself included, do which is:

Tidy Owner profile (with optional GPlay) for the installation and update of apps
Whatever additional profiles you want (e.g. FOSS Profile + non-FOSS / Gplay profile / etc.)

But since you want Owner clean of Gplay, then you wouldn't be able to rely on Gplay for the installation of FOSS apps outside of the Gplay profile(s). Personally I'm not convinced there's much risk in the "sacrifice of security" for not using Gplay. I just use it purely to install apps that require Gplay (PS app, Discord, etc.).

mmmm

If i may tack on a related point; this comes up often; people suggesting a Foss only owner with a gplay work profile, I assume created by something like shelter. I was under the impression that work profiles had nowhere near, if any of the isolation benefits that a separate user profile has, so what's the actual deal? Are they good enough for this? Perhaps its threat model dependant but is it really separating things as much as people seem to imagine?