I am trying to configure Graphene OS to allow a locked-down profile to be used without the Owner logging-in first.
On reboot I must login to the 'Owner' account before I can unlock any other accounts - this is bad for security because the Owner has special privileges (such as administration of other users), think of a situation where the owner wants to give a user a bio-metric accessed account which can be used (even after reboots / power-off) without the owner having to login to the device (they may not be present or accessible, so now the user is carrying a brick, and providing the user with the passcode for the Owner profile so they can login to their own defeats the security constraints... which is BAD!)
An ideal situation would be where (after a fresh reboot) I can provide biometric to the login screen (I don't have biometric on the Owner account), and it logs into whichever locked-down profile can be accessed by that fingerprint - or there is an authentication screen which requires the username to select the account to login to (I'm sure this was an option with earlier Android versions, but I can't find it on the latest GrapheneOS)
This would also enhance plausible deniability, essentially it's a 'Customs' unlock, "Yahs officarr, this device unlocks with my fingerprint, see"
Another interesting option would be allowing allow Guest logins after reboot (with a profile restored via a USB-OTG attached microSD card) without the Owner unlocking the device first (although that comes with its own security caveats as could be used to exploit the phone).
Interesting sidepoint: currently evaluating OnlyKey Duo with GrapheneOS for password login, but am unable to use it as FIDO2 provider for login in a way which the possessor of either devices cannot extract the login passwords. I can provide developers with a token amount of funding to purchase several OnlyKey devices for research purposes if that would help things...