avaluedcustomer Does GOS send the "DSID cookie"
GrapheneOS, the operating system, does not. You can see what connections are made by GrapheneOS by default on the website and the next section is about other connections.
avaluedcustomer if Google Play is installed?
I could be mistaken, but the article is calling some things "cookies" when other people wouldn't. This "DSID cookie" is, according to the article, explained on this page https://policies.google.com/technologies/cookies where it says
Some cookies and similar technologies used for advertising are for users who sign in to use Google services. For example, the ‘DSID’ cookie is used to identify a signed-in user on non-Google sites so that the user’s ads personalization setting is respected accordingly. The ‘DSID’ cookie lasts for 2 weeks.
Based on what is written here, I would assume that since it says "site" we're referring to a browser. If the browser is sending this cookie, then I would imagine Google Play will not.
It says that it's only sent when a user is logged in, so if you don't want the cookie to be sent, don't sign in to any Google sites when using your browser or use incognito mode.
Also, I don't like the tone of the article. If a website owner includes Google Analytics or something similar, then they chose to use that Google's service. Cookies and Google code on websites isn't Google being malicious. This isn't being forced upon people by Google, nor is it being forced upon people because they use a phone with an Android OS.
The same logic applies for apps, too, by the way. App developers can choose to include Google libraries in their apps, but nothing is forcing them to.
This DSID cookie is "almost certainly" the primary method Google uses to link analytics and advertising events, such as ad clicks, to individual users, Leith writes in his paper.
Okay? When has it been news that Google gathers information to push ads? To me this article seems to mostly be an attempt to sensationalize something that has already been obvious to those who already understand how this stuff works. The scary cookies and IDs that were mentioned in the article are all nothing new, as far as I could tell.
I'd also suggest reading through the GrapheneOS website's page on non-hardware identifiers. It talks about ANDROID_ID and other related information.
He found various mechanisms operating on the Android system which were then relaying the data back to Google via pre-installed apps such as Google Play Services and the Google Play store, all without users ever opening a Google app.
This is one thing that makes GrapheneOS so great. Google Play and other GMS apps aren't installed by default in new profiles. If you want Google apps, you can install them. If you don't, you don't have to.
But, yes, on most Android phones, Google Play and other Google apps have privileged access and I think most of the people in this community would agree that it's a real privacy issue, but fortunately that's not the case for GrapheneOS users.
Sandboxed Google Play isn't a privileged app, so it doesn't have access to anything that other user-installed apps have access to. So even if Google Play does send a "cookie" or whatever identifier upon startup, what does that mean, really? Not much, because when we use GrapheneOS, we can keep these things in mind and set up our phones in a way that best fits our own needs.
edit: about the SafetyCore part of the article, I'd suggest reading this thread by the project: https://grapheneos.social/@GrapheneOS/113969399311251057