Hello!
To clarify, Android security model assumes that a single device can be used by multiple different users. That is exactly why user profiles feature exists.
Let me give you an example.
Let's say that you have a child and sometimes you allow them to use your phone. In this case, it makes sense for you to create a separate user profile for your child, install the needed apps, and maybe disallow installing new apps after that. You, as the owner of the device, should know the password to the owner profile and maybe even the password to your child's user profile but not necessarily. On the other hand, your child would only know the password to their own user profile. In this setup, your child can take your phone and switch to their user profile anytime without knowing the password of the owner profile.
That is how Android is designed and GrapheneOS only makes it better by allowing to have more user profiles, having a toggle for cross-profile notifications, and many many more features.