RatMafia if I flash GrapheneOS on a Pixel (7, 8 or 9, still haven't picked which one), and decide to revert to stock OS afterwards, will there be any traces of this change? I remember installing LineageOS on my Samsung Galaxy S5, and after that, there was a warning on the screen each time the phone was restarted that said that warranty was voided or something similar.
There shouldn't be a traces left, as long as you follow the step to delete the GrapheneOS verified boot key as well, which is otherwise easily overlooked. There will not be any warnings shown at all, and warranty is not voided at all. Pixel phones are meant to be able to run alternative operating system, unlike Samsung phones, so doing that would never void the warranty.
There might be some traces left, but they would probably only be possible to detect with somewhat advanced forensics. There will definitely not be any visible warnings, and the stock OS will have no clue.
RatMafia Do I understand correctly that GrapheneOS lets me compartmentalize my apps in different profile, in a similar way as for example Qubes OS on pc? Are they completely separated from each others then?
Yes, separate secondary user profiles is the way to compartmentalize apps into separate security domains in GrapheneOS, similar to in QubesOS. There is a very crucial difference though. AOSP never intended secondary user profiles to be used for this, that functionality was meant to allow multiple physical users to share a phone. So the solution will not be as secure as in QubesOS. For example, apps in different profiles can still communicate with each other, without you knowing about it, for example by using the loopback network device for communication. But GrapheneOS team wants to improve the security here eventually, it is just, there is soo much that needs to be done to make GrapheneOS better, and this does not seem to be prioritized right now.
I believe secondary user profiles in GrapheneOS provides good enough compartmentalization for my use cases, but it is not at QubesOS level by far.
RatMafia How's MDM with GrapheneOS? Will I be able to have a work profile that is entirely separated from my private stuff? And will the work profile still be connected to my company's MDM system or will it be just a profile that I set up with work apps?
The device manager app you install have privileged access to your whole device, so if you install an MDM app on your phone, you must really really trust that one to not spy on you. Even if you are willing to accept that, I never got MDM to work on my phone. That was Microsoft Intune, it didn't work. Some have reported that you can trick company apps to work in a work profile set up by an open source device manager app such as Shelter. This would have the advantage that your company nor the provider of any MDM app would have any privileged access to your phone at all, and that it would be totally separated as far as Shelter separates it. But it is not guaranteed to work, and your company may not like it. So, do not count on MDM working. I have chosen to not attempt to run MDM on my private phone, and just use a work provided phone instead for work related things.