cdflasdkesalkjfkdfkjsdajfd
Yes this is a very good use case that is making using GrapheneOS with good isolation of Google Play Services dependent apps much much more convenient. I can recommend this setup if it fits your threat model. I personally haven't seen any drawbacks from this setup if compared as my previous setup of using a secondary profile. Only huge increase in usability, especially for those ude cases where you have messenger apps with dependency of GSF for notifications. Now you can actually see the notification and not just a generic notification forwarded from the second profile, as before (with the "send notification to current user" setting toggled). No need to constantly switch profiles and authenticate.

I have not tested but this maybe also partly mitigate the annoying AOSP fingerprint bug that in reality only let you have two fingerprints stored. Since you don't need to switch profiles as often it doesn't matter if fingerprint auth doesn't work when switching profiles.

      cdflasdkesalkjfkdfkjsdajfd I do not see the issue. You do have a screen lock with a reasonable timeout duration, right? If you do not have a very high threat model then AFU protection is most likely enough. The reboot timer makes sure your phone will be in BFU state long time before Cellebrite and the likes can brute-force your PIN. Especially if you have the timer on something low.
      The same scenario you describe can happen if you have your secondary profile active when your phone gets lost. It is practically no difference here.

        @GrapheneOS
        Would it be possible to add functionality to install apps to Private Space from the Owner? Like currently possible with secondary users?
        That way you could install sandboxed Google play in the owner profile and install apps from the Play store inside the PS, without having install sandboxed Google play in the PS.

        cdflasdkesalkjfkdfkjsdajfd
        No, see: https://discuss.grapheneos.org/d/16670-private-space-on-android-15-grapheneos/62

            Can apps be installed via adb in private space or via copying it from the main profile, like to other users, or the only way to do it is via a store, like Play Store or Aurora?

              cdflasdkesalkjfkdfkjsdajfd Yes, you can adb install to the private space.

              $ adb shell dumpsys user | grep "Private space"
  UserInfo{##:Private space: ......

              ## is the userid of your private space.

              Then $ adb install --user ## file.apk

                Is there a way to do not unlock private space using the fingerprint but configure fingerprint to unlock some apps in private space? I have set private space to be unlocked by password and fingerprint settings to do not be used to unlock the device but when I unlock private space the fingerprint unlock is displayed instead of the keyboard.
                Thanks

                Will the settings on the Private Space be extended like those on the other profiles?

                Is data unrecoverable when deleting Private Space as when deleting profiles?

                Edit : It seems to be the same with the deletion of data :

                All forms of profiles have separate encryption keys. You can keep a Private Space at rest while the Owner user is logged in just as you can with a secondary user.

                  Hat

                  Is data unrecoverable when deleting Private Space as when deleting profiles?

                  Yes, it's similar to a user profile especially if you set a dedicated lock method but can be reliably deleted even when sharing the lock method with the Owner user, since it still has separate encryption keys and protection. It shouldn't be possible to get the data when Owner is unlocked but the Private Space is not even when the lock method is the same. Reboot is still best to get data back at rest instead of relying on things being zeroed as they should be.

                    We strongly recommend it as a replacement for a work profile managed by a local profile admin app. It has better OS integration and isolation.

                    I am really struggling to understand the messaging here. I generally think of "integration" and "isolation" as generally diametrically opposed. I like how existing profiles are completely separate. I don't want any possibility of data leakage between/across them. Are you using "work profile" as a general term for any secondary profile (meaning one connected to a dayjob, etc) or is that something else?

                    @GrapheneOS What exactly would be the benefit of deleting my secondary profiles and recreating them as Private Spaces within the Owner Profile? What are the precise differences between these two feature sets?I'm sure I'm not the only one wondering this. A simple page in the docs would be greatly appreciated once this feature has matured a bit more.

                    Thanks for all you do.

                      strict-marsh Work profiles are exactly what it sounds like - a separate profile that runs side by side with the owner. Usually these will be created by an app like Shelter or Insular. They offer the least isolation compared to Private Space and secondary user profiles, but are probably the most convenient due to the amount of integration in the settings.

                        strict-marsh What exactly would be the benefit of deleting my secondary profiles and recreating them as Private Spaces within the Owner Profile?

                        Note that at present there is only one Private Space, associated with the sole owner profile. Secondary profiles are not the same thing as work profiles, so if you are using secondary profiles at present the recommendation to switch from a work profile to Private Space is not applicable.

                          missing-root how to disable the system clipboard if I use Florisboard clipboard? Thank you.