Before answering some of these questions, I'd like to point out that IPC is integral to Android. It's not a bad thing. It's actually super helpful, and you benefit from it every time you use your phone. Opening links or files in one app that launches in another app is done via IPC. The share button in apps shows you a list of apps that accept that file/URL as data in IPC. Notifications, to an extent, work via IPC. The OS uses IPC to send global broadcasts.
In Android, apps are all sandboxed, including system apps. IPC is one way they communicate.
People shouldn't worry so much about IPC. IPC has restrictions. It's mostly used to send "messages" not "data" between apps. Like a valid IPC would be "hey, Vanadium, open www.youtube.com". Invalid IPC would be "hey, Google Play Services, here's this person's entire photos collection". IPC is limited to 1mb, which is enough to share some data, just not a lot of data.
Honestly, if two different companies with different apps suck up your data, they're not going to share the data on the phone, they're just going to suck data off the phone and share it between themselves directly. It's cleaner that way. Google is also unlikely to use IPC. The majority of users don't block apps' access to the internet, only a small number of people do. As long as you use their apps but don't give them data to use, they have nothing to take from you anyway, so I'd stay away from cameras or keyboards if you're worried about this. Or use the camera in another profile.
CoffeeTime03 Is there any way to check whether IPC between two applications happens?
The only way to know is by reading the source code for an app.
CoffeeTime03 Is it possible to block it as an extra permission node?
Anything is possible I guess, but not sure if it's practical or worth pursuing.
CoffeeTime03 Can two apps within different user profiles use IPC?
no. Apps cannot communicate using IPC between profiles. I believe I read there's some ability to communicate between work profiles, but don't quote me on that.
CoffeeTime03 Is a way to control IPC on the same work profile on the same user going to be implemented
I don't know, but I doubt it for many of the reasons mentioned earlier. It's not that big of a problem if you use apps that you trust. Don't use Google apps for everything, and they have nothing to send back to Google servers.
CoffeeTime03 is there an alternative to GMS to handle app notifications?
I wish. But the problem is mostly it would be extremely difficult for something like that to be adopted by companies/app developers, let alone be used by end-users. Just think about it this way, outside of China, 99.99% (yes, this is a made up figure) of people have phones set up to receive notifications via either Google or Apple's push notification service. There' just isn't any reason for anyone to start a new notification service. There is no real need, from a business perspective.
CoffeeTime03 Some google apps won't start without play services.
That's just how it works with them. The only solution is to not use their apps.
CoffeeTime03 This means google apps such as youtube (for example), have implemented the mutual consent required for IPC and could potentially share data through it.
Why does that matter? If you're using a Google app that shares data with Google, then go use another Google app that shares data with Google, then why is there any problem with those apps sharing data? Google will be able to figure out you're the same person whether they use IPC or not. Also, of course they want you to use the same login for each service. It makes it easier to
track provide you with high quality services.
CoffeeTime03 A few apps that probably make use of Google's Ads are able to display advertisements even WITHOUT the network permission node.
That shouldn't be possible unless Google Play Services is somehow caching and serving those ads. Can you provide examples of apps that's happened with?
CoffeeTime03 However, it can retrieve data from any app if said app allows it to, could it not?
For IPC to work, it has to be mutual. Google Play won't randomly make up some IPC call to a random app to get data from it, but even if it were to do that, that app would have to have that receiver set up, otherwise the IPC will be blocked by the OS. If my pretend app does intend to share data with Google via IPC, they can't be trusted anyway. They'd share the data regardless of how they got it.
A couple final things to say after my long post here is this is why many who use GrapheneOS are so crazy about using only open source apps. You don't need to worry about these kinds of things with open source apps. If you can read code, you can find out yourself what's going on. If you can't read code, just know that there are others in the world who use the same app and have read the code and know the app is trustworthy.
The issue is that so many people and so many companies all just let Apple or Google make their lives easier. These huge tech companies have the resources to make fantastic apps, services with 100% uptime and low latency, global reach and support, etc. Don't use their apps. Tell your friends not to use their apps. Contact developers and urge them to stop using Google libraries, or write their software in such a way that it supports those without Google Play stuff.
Being smart about app permissions is your best defense. Storage Scopes everywhere. Decline everything unless absolutely necessary. If an app has no access to your phone, the only data they can get from you is what you do in the app. Maybe that data is useful and they want to share it, but it's very limited. GrapheneOS cannot protect you from this kind of data harvesting. Only you can by not using these kinds of apps, or not using your phone at all.