Hi,
I decided to give GrapheneOS on my new Google Pixel 7 Pro a try after I used CalyxOS for a few years.
Unfortunately, I have to use some Google apps like MS Teams for work (also get these notifications fast and use it often) and a (good) navigation App and the Google Camera. In CalyxOS i liked that microG-services and Aurora Store take care of my privacy. But I understand that it makes sense to put a little more into security so as not to create an even greater loss in privacy.
Now i am wondering what the best setup is to meet my requirements (privacy is very important to me but i need the above apps in everyday life).
As I read in the FAQ a good way could be to install Shelter to manage the work profile where I install the Google Play Store + Services and all needed Google Apps. The main profile stays Google Free but with F-Droid.
But I have some questions left:

  1. Do you think this is a good way for my needs?
  2. How to install the Google Apps exactly? Clone the Graphene “Apps”-App with Shelter to the Work Profile? Or clone the 3 Google Services Apps (Google Play Store etc.) directly to the Work profile? But how to update these 3 Google Services apps then?
  3. How to install (and update) the google Camera to the main profile? As I tried “Gcam Services Provider” can’t be installed due to the Google Play Services installation in the work profile.

    apoid I hope this answers some of your questions. Graphene OS provides an app called "APP" in here you get Google Services, Google Framework, and Google Playstore that is sandboxed. These will also auto update. I've never used shelter so I can't help with that.

    From my understanding, since Google Services is sandboxed, you have full control of the permissions and what it can and can't access.

    99% of the apps in the playstore work. Google camera, Ms teams, etc

    You can also create a second profile to install your google atmosphere on and enable notifications as a second opinion. (Second profile must have been opened to receive notifications on main profile)

    apoid I did something similar for my setup and it's been working pretty well. I don't really have any play store dependent apps and pretty much go without push notifications so I keep my work profile turned off basically all the time.

    1. Do you think this is a good way for my needs?

    Yep, it should work fine.

    1. How to install the Google Apps exactly? Clone the Graphene “Apps”-App with Shelter to the Work Profile? Or clone the 3 Google Services Apps (Google Play Store etc.) directly to the Work profile? But how to update these 3 Google Services apps then?

    Shelter gives you the ability to clone apps between the work and main profile so the starting point is cloning the "Apps " app provided by GOS to the work profile and then installing the needed Google services there. I actually have some paid Play apps I bought years ago that work fine in the main profile without Play Services or the store so I update them in the work profile and then clone them back to main. Aurora in the main profile can tell me when they need updated but can't update them since they are paid apps and I'm not logging into any Google services on my main profile.

    1. How to install (and update) the google Camera to the main profile? As I tried “Gcam Services Provider” can’t be installed due to the Google Play Services installation in the work profile.

    In my main profile I installed GSF only with no permissions and then installed the GCam app (with no network permissions) via Aurora and this works fine. It can still update via Aurora just fine and does not need anything other than GSF to run properly.

    So far my only headache with this was finding out that Signal installed in my main profile could see that Play Services was installed in the work profile and so didn't want to setup using websockets for notifications and would error out on setup until I removed all google apps from my work profile. Other than this little one time setup oddity everything seems to be working perfectly. If you set up Signal before doing anything with a work profile you won't have this problem.

      AdamBv1
      Thank you very much. Thats what i wanted to know.
      I think i will try this way but without Aurora Store in the Main Profile. As i read in the GOS FAQ its recommended to install/update Apps via Play Store. Maybe i install the GCamApp in the Work Profile via Playstore, clone them, but leave the unused copy in the work profile, so that i will be notified whren updates are avalible. I will see if this will work for me.

        apoid Aurora is just a front for the play store so they are downloading from the same place but Aurora increases privacy over using the Play store directly by making anonymous sessions that change all the time unless you actually log into your Google account or using their option to generate a GSF ID locally and using that for all sessions.

        I believe their warning about using something other than the Play store is warning against grabbing APKs from random websites more than keeping people away from Aurora as you will see recommendations for Aurora on par with the Play store in both the Usage Guide and FAQ.

        That being said, using Play in the work profile to update apps and then cloning it over to main will work just fine if you want to skip Aurora. As I said, this is what I do anyways for paid apps Aurora can't update.