Questions about Owner profile / internet traffic / VPN / Google Play

anotherGOSconvert

Hey folks, hoping I can get some help clearing up a complex of related questions. My head is spinning with all this so sorry if this isn't super clear...

My current setup:

Owner profile: running a VPN, Google Play Store/Services installed, profile used for downloading apps and pushing them to other profiles
three secondary profiles: a 'daily driver' profile with no Google apps or Play Services; another profile to sign in to my real Gmail account; and a third profile for using other Google apps with an anonymous account

It seems there may be a few downsides to this setup though. The Owner profile has some unique abilities that can't be done from other profiles, including turning on/off the mobile hotspot. The Owner profile can't 'End session' the way you can with secondary profiles, so making Owner my app installation hub means GPlay Services stays running always. I've seen some indication that Google Messages (which I want access to for occasional use) only works in the Owner profile. For these reasons, I'm considering switching my setup so that I have the GPlay Store updating apps from a secondary profile, leaving my Owner profile free of Google Play (I understand I can't push apps to other profiles if installed in a secondary profile). Making this switch would take a bit of work, I want to clarify some things before I do.

I guess the most important question for me right now is: if I've got GPlay Store/Services with network permissions in the Owner profile, and I turn on the mobile hotspot from this same Owner profile, am I opening myself up to privacy breaches? (and is the answer different if I've got a VPN running?) I.e. will the traffic I'm running through the hotspot (say from internet browsing on my laptop) be visible to Google, due to the networked GPlay install in that same profile? I'm guessing the answer is "no, GPlay Store/Services are sandboxed in GOS" – being a non-technical user, I don't understand the exact parameters of this sandboxing, so I'm trying to better understand the privacy implications of the setup I've described. I'd prefer to run my mobile hotspot in a profile completely isolated from Google, but is there any real privacy reason to do so? If it's true that Google Messages needs to run in the Owner profile, and the hotspot can only be activated from the Owner profile, then it becomes even more important for me to confirm that I can isolate GMessages/GPlay from internet traffic running over the hotspot.

A related question: I suspect I may be running into problems due to the always-on VPN in the Owner profile (for instance with RCS messaging, wi-fi calling, and notifications, though I'm still troubleshooting and the problem could be something else). I set up the always-on VPN (Orbot) in the Owner profile a la the popular SideofBurritos setup. Certainly masking my IP address from Google sounds great, but the VPN sometimes stops working and has to be reset, i.e. turned off and back on again. I'm guessing that in those brief moments of downtime, the networked GPlay Store/Services exchanged some data with the internet, and thus I've already exposed my true IP address to Google. And thus there's no real privacy benefit (and some convenience compromises) to continuing to run the VPN in the Owner profile. Am I misunderstanding this? I'd love to turn the VPN off if it's not actually helping mask my IP from Google and associating that IP with the anonymous G account downloading apps.

Thanks for any light you can shed on all this.

anotherGOSconvert

Any insight would be appreciated. I know that was a wall of text so to summarize my key question: is running data through the mobile hotspot in the Owner profile with Google Play Services & Store installed a privacy risk, compared to running data through the hotspot in a profile with no Google Play installed? Secondary question: wouldn't my IP address have already been exposed to Google if my always-on VPN has had downtime?

Elysium

The Owner profile has some unique abilities that can't be done from other profiles, including turning on/off the mobile hotspot.

While true, you can't turn it on on other profiles, you can still disable it by briefly turning airplane mode on.
Just for tethering you actually need to stay on owner profile.
For mobile data turning on and off I found a solution for secondary profiles. You can make a settings widget on your 2nd or 3rd profile for "Data Usage" there is a checkbox for turning Mobile Data on and off. I do not know why this option is hidden in the normal settings menu though, as if it is unintended to use this way.

I disable PlayStore and Playservices once I updated the few Playstore Apps I use, you could clear cache before letting them access Internet again. I am not sure how well this actually prevents these apps from aggregating data while in disabled use, and if Cache really deletes all their data, I doubt it, but nothing is perfect.
For your use case, that may be not suitable though, unless you are fine with accessing google messages only sometimes idk.

From what I understand, the connection you make via hotspot and tethering are not using the vpn of your phone, they need their own vpn connection on the device you are using them on. (But please correct me I am wrong, but I am pretty sure at least for tethering.) So all your phone should see is encrypted data that goes through the VPN. If they know what devices you are linked too, when you used it and for how long, is another question. I am not so deep into it, but nobody else was answering.

There is another setting in your VPN category, that it should block all traffic when the VPN is off for various reasons. If that is checked then you should have no leakage usually. But I would read up more on Orbot, I think it is no longer recommended as much, but I forgot why. Some of the SideofBurritos videos are a few years old already. I think he is using Mullvad as VPN later on, which is a one of the good choices.
This setting also would allow you then to turn the VPN off on your owner profile, while having mobiledata or Wifi still activated, your owner profile becoming effectively offline though - until you restore VPN connectivity.
So there are a few ways to prevent Playservices the access to internet.
You can use a hotspot while the VPN on your owner profile is off - while its traffic is blocked - while hotspot and the devices connected have internet - but like I said would need their own VPN connection if you want to prevent leakage of said traffic to your ISP.

Hope that helps at least a bit. Generally I would have advised against using your main google profile on your GOS device - but I guess for some scenarios it is hard to do and not as important. I think I would use Laptop or Tablet (for Microsoft or Google apps if necessary) or for Music a Walkman - to not expose myself to Bluetooth or USB-C attacks by compromised hardware. Which would be an idea.