alltheqs If I have Google Play in its own sandbox, and I install the Notion app with Google Play, does Notion go in its own sandbox, or does Google have access to the data there?

On Android systems, every non-privileged app is sandboxed (runs in its own sandbox).

On Google's OS, the Play ecosystem apps are privileged system apps, so they are not sandboxed. On GrapheneOS the Play ecosystem apps are not privileged system apps, so they are sandboxed.

On Google's OS, the Play ecosystem apps have elevated abilities to access the internal data of regular apps, but on GrapheneOS they don't.

alltheqs Is it possible to have Google Play in its own profile, but download apps to a different profile? Is that overkill?

That may make sense for some apps, but not apps that need access to services provided by the Play ecosystem, which must be in a profile with the Play ecosystem apps.

alltheqs The Google Play sandbox information is what confused me in the first place. I should have linked this at the top.

It might be productive to quote a specific sentence or two that would benefit from interpretation and then ask a specific question about that quoted part. If all somebody has to go on is a report that a large piece of text is confusing in a general sense, it may be difficult to provide specific clarification.

          de0u
          You say that on Google’s OS, the Play ecosystem apps have elevated privileges to access the internal data of normal apps. Surely they can’t read your encrypted messages on Signal, Whatsapp etc.?

          • de0u replied to this.

              Cold_Beer You say that on Google’s OS, the Play ecosystem apps have elevated privileges to access the internal data of normal apps. Surely they can’t read your encrypted messages on Signal, Whatsapp etc.?

              Honestly I don't know exactly who can access what when. But in the limit if you run WhatsApp on Android and you open it up and display a message, WhatsApp decrypts the message and then displays it to you by running a mountain of code written by Google.

              Is some of the code that handles the cleartext message part of Play in particular? I don't know. But fundamentally running a secure messaging app on an OS places a lot of trust in the authors of the OS.

                  de0u
                  That’s interesting. I would imagine the same happens on ios then. Sort of makes you wonder if it’s worth running these secure messenger apps on a proprietary platform. Or of course running them on Graphene if at the end of the day you are talking to someone on one of the main platforms.

                  • de0u replied to this.

                      Cold_Beer Sort of makes you wonder if it’s worth running these secure messenger apps on a proprietary platform.

                      Unless one begins by going to a beach to harvest sand to melt down to make one's own wafers on which one makes one's own chips, etc., one must place trust in some critical components provided by other people.

                      If iOS were designed to harvest screen images of encrypted chat sessions, that would likely become known, and would be a giant reputational hit.

                      It would be best if we had open hardware, open-source firmware, etc., so we could be more confident in some trust decisions. And it's great to have GrapheneOS, including the ability to run Google's Play infrastructure with reduced privileges. But it is still necessary in practice to place substantial trust in people we've never met.

                      Meanwhile, if the alternative to sending secure messages to an iOS user is sending insecure messages to that iOS user, in the sense that those messages are not only readable in theory by Apple if they want to risk reputational disaster, but actually readable by a cellular carrier at no reputational risk to the carrier...