I want to preface this with a clear statement that this is in no way an accusation or critique of Graphene devs. You guys are awesome. I love your OS and the support you've kindly provided me in the past.
Can somebody please explain the current status of identifiers and how they can or cannot persist across different user profiles?
I have a strong suspicion that google was able to tie a bank purchase to a burner google account I made in its own profile on the sandboxed play store with a VPN (Mullvad), and no SIM in the phone at the time. The profile was deleted prior to the purchase, the SIM was only reinserted after its deletion, and the google account was only ever accessed through a VPN in Mullvad browser on Linux after its creation. The account had no identifiable characteristics, phone number, or payment information given to it, and it was only ever accessed from a clean session (no CSS or cookies) with no other accounts logged in. Nothing related to the purchase was ever looked up or related to anything I browsed on google services.
I had my banking app in its own profile as well, also with a VPN. This banking profile was not accessed until after the google profile was deleted. There could be a handful of scenarios that led to this. The only ones I can imagine are exploits of my Proton Pass extension from google's sites to acquire my banking info, an exploit of Graphene OS by google while play store was installed and logged in, or possibly (but less likely) an exploit of my Linux OS from google's sites on the browser.
I've been poking around a while and found some stuff from years ago saying the DRM ID persists across different installs/user profiles. More recent posts suggest they vary for each app, but the same app will have the same DRM ID across different profiles. They've been talking about a toggle for it for years, but it's been non-priority since it didn't pose a big risk to profiling/fingerprinting.
Any ideas? I'm just trying to figure out how this was possible.