ffuu any development on this topic?
No. The plan GrapheneOS developers have hinted about is to add support for multiple private spaces per user profile. The original plan of doing isolation per app was apparently abandoned due to too high complexity to implement. Unclear when multiple private spaces per user profile might be implemented, by I would guess on a time frame of 1 year from now.
trilogy6202 You'll have to try to to find the right balance between your thread model and desire for convenience.
I want to elaborate in this a little bit. Typically, it does not make sense to put apps in which you have logged in with the same e-mail address or phone number in different profiles. They still know you are the same person, so can just share information with each other in the cloud instead, even if blocked on device.
Typically, you want to keep different kind of activities separate from each other. Eg your contacts with governments separate from your work, which in turn is separate from your activism, which in turn is separate from your gaming and so on. As an example. So you set up separate identities for those activities, with their own e-mail address. That way, if some app in the activism context leaks information, they still cannot figure out who you are, or if some government app leaks information, they still cannot figure out you are doing activism. It doesn't make much sense to separate government apps from each other, since they know who you are anyway. It also makes limited sense to separate activism apps from each other, since an attacker probably already know what your activism pseudonym is doing.
So typically, you can get away with just a few user profiles, and still have close to perfect isolation.
trilogy6202 Well maybe some apps could be converted to PWA's? As far as I remember PWA's don't have access to check which apps are installed on your device. Can someone confirm?
PWAs are essential websites visited in the web browser, so PWAs can do everything websites can, but nothing else. They can: 1) Talk freely to other PWA apps as long as there is mutual consent between the PWA apps, 2) Talk freely to websites you are logged in on as long as there is mutual consent between them, 3) Talk to installed regular apps as long as the regular app has specifically enabled PWAs and websites to talk to them by registering an URL handler, and so on and on.
There is some advantage of running PWAs, but they don't really provide any isolation.
Regular apps you can remove Network permission from, you cannot do that for PWAs. PWAs cannot fetch the list of installed apps, so can only discover those that consent to communication. PWAs cannot fetch the persistent DRM ID without you consenting to it, regular apps can fetch it without consent. PWAs have access to a little bit less fingerprinting information than regular apps, but still most things. More recently, PWAs can no longer communicate across user profiles, while regular apps still can using the shared loopback interface.