I've been using GrapheneOS more and more frequently and as a result have noticed a few items of concern related to the "separateness" between profiles. Mainly, it seems as though apps in different user profiles on the phone do not seem to be walled off from one another.
For background, I have my user profiles set up such that I have an Owner profile with zero apps, a profile where I have all my FOSS apps ("FOSS Profile"), and then a separate profile with non-FOSS apps ("non-FOSS Profile"). My FOSS profile is where I also conduct my messaging through Signal and accept and receive phone calls and SMS. My non-FOSS profile has no access to any sort of messaging, phone, SMS, or otherwise.
- Phone
As mentioned above, my non-FOSS profile has no access to my phone, contacts, or SMS messaging. However, when I'm logged into that non-FOSS Profile, if someone calls me on my FOSS Profile, that phone call still comes through and I'm still able to answer it in my non-FOSS Profile. I'm just curious how that would be the case when the profile does not have authority to do that.
It would separately be helpful to know how I can dedicate a profile other than the Owner profile to receive SMS messages without the Owner profile also receiving those same messages. Is this possible?
- Spotify
(A) I have Spotify in my non-FOSS app profile. While at work, I will log out of my non-FOSS profile and listen to Spotify on my work desktop. When doing so, I noticed yesterday that the song I'm playing will briefly show up on the locked screen of my FOSS profile. It's a split second and then disappears. To be clear, it's not the background on the phone that would display if I were actually logged into the non-FOSS profile, but rather, it essentially looks similar to how a Pixel with stock Android has the feature where it tells you what song is playing in the background. This was a bit concerning to me because it would indicate that (i) the phone was picking up audio in the background without permission or (ii) the non-FOSS profile was crossing over to the FOSS profile and providing data on the screen.
(B) What was of greater concern was that just today when I logged out of the non-FOSS profile and logged into Spotify on my desktop, I clicked to play a song on my desktop and it started playing on my device. While that would be fine if I were logged into the profile with Spotify downloaded, I wasn't. Instead, the song was playing on my FOSS profile. Again, I'm unsure how I could play a song on a device through a profile which does not even have access to the app playing that song in the first place.
Is this all easily explainable or should there be concerns about how walled off user profiles are from one another?