Hi there! Sandboxed Google Play is completely fine in the owner profile, as well as a secondary user profile. Making the choice to use a secondary profile is completely optional, and in fact the significant majority of people using GrapheneOS don't use multiple profiles in day-to-day use.
User profiles are not what provides sandboxing on Android. All apps are sandboxed by default, regardless of profiles.
They do provide some benefits for some workflows/use cases, but whether you want to use them or not depends entirely on your situation. I briefly wrote my thoughts on user profiles here a while ago; I hope that helps:
https://discuss.grapheneos.org/d/168-ideas-for-user-profiles/2
Bspamail I assume that the download from the apps app in GOS is already a sandboxed version.
There seems to be a bit of a misunderstanding here that I can hopefully help correct. The GSF, Play Services and Play Stores apps you'll find in "Apps" on GrapheneOS are completely unaltered. They are the official 100% identical apps that you'd get on Stock OS.
What GrapheneOS does is that it uses a compatibility layer to make these apps function within the regular app sandbox. It's not that the apps themselves are altered, but that the compatibility layer makes them work where they otherwise wouldn't.
If you were to install Play Service etc. on an OS that doesn't implement the Sandboxed Google Play compatibility layer, those apps would keep crashing, because they don't know how to act within the confines of the regular app sandbox; they instead assume that they're inherently privileged and can do things that other apps can't do. GrapheneOS teaches them to function like all other apps, so that they can function within the regular sandbox; which levels the playing field. Play Services on GrapheneOS do not have any additional access compared to what any other application you'd install has.
Therefore, there's nothing special to talk about regarding what kind of access these apps will have. You can substitute literally any other app you'd install and ask the same question, and the answer would be the same. Apps are sandboxed, and they inherently only have access to data that you explicitly grant to them via user-facing permissions. Apps within the same user profile can communicate via mutual consent. That is, if both apps agree to communicate (mutual consent), they can.
I hope this helps!