blackrose If GSF/Play services are installed into the Private Space, will these services be restricted to the Private Space and apps in it ? Or will it be able to act profile-wide (aka outside the PS sandbox) ?
Yes, they are isolated and limited in Private Space, more information here : https://source.android.com/docs/security/features/private-space
blackrose My goal would be to have one profile only, with Private space for all apps who require GSF/PS, without allowing GSF to "access" the other apps on this profile
I've set up Sandboxed Google Play in Private Space and keep a separate system-wide profile for Android Auto to avoid losing connection if the phone is locked, unless I'm mistaken, apps within the Private Space profile can still communicate with each other by mutual consent, you should treat them and adjust permissions as you would apps on the main profile.
blackrose And ideally, when closing Private space, be able to completely shut down (or freeze) all the GSF/Play Services at work.
Locking private space stops applications/services running there, you can reproduce this: If you install and run Sandboxed google play services in Private Space, the service will ask you to run in the background, which you must grant, it only runs in the background of Private Space and you may notice that the GmsCompat icon disapear when Private Space is locked, proof that the service is no longer running.
If I'm right, the isolation provided by the separate system-wide profile is always more strict, but I don't know the details.