It's kind of tough to say all that would need to be said about this, so I'd suggest you read what's on the GOS website that covers most of what you're asking about. Read from here (the exploit protection section) to the more complete patching section. It's a lot to read, but it pretty much answers all of your questions.
But the short answer is there's nothing to really worry about here. GrapheneOS is always up to date, has a hardened memory allocator, and we all benefit from a secure app sandbox.
Android Verified Boot also helps. Use Auditor to make sure your system hasn't been tampered with.
[deleted] But GOS doesnt allow apps to be installed in different user profiles without your permission.
Only owner can do that from the settings app. No other app or profile can do anything like that.
[deleted] Could it even work? Wouldnt that mean the dodgy link you clicked somehow changed your settings or gave permissions to download?
Apps can download anything they want. Downloading malicious code isn't necessarily bad, it's running it that's bad.
[deleted] This is how those things work, a window pops up and auto fills with code and instructions, then hides itself before you notice. Before you know it something has downloaded and hidden itself.
This is how it used to work on computers. Phone OSs are designed not to allow things to run like that from random locations and without admin privileges. To "run" something in Android you have to install it first. The only way to install an app is using a system API. You have to give apps permission to request to install other apps. They cannot just install things on their own without you approving it.
[deleted] But in GOS, would they get that to work? Or did it get stuck in a black hole and not download?
AOSP would do this too. The app or browser can download anything, but they're still confined to their sandbox, so even if they did manage to "run" some malicious code, the malicious code is also confined to the sandbox.
[deleted] Let's say you did it in your whatsapp userprofile. Does that mean the stalkerware exists ONLY in the whatsapp profile? Or does it exist everywhere, across your main user profile as well?
If you gave Whatsapp permission to install an app, then hit "install" when the OS asked if you want to install the app, then the app is only active in that profile. Technically, it's available to other profiles, but the app isn't active. in those profiles, nor could it be until it's installed/"activated" there too.
[deleted] I havnt seen anyone give a good explanation for what hacking looks like on GOS.
Android is already very secure. GrapheneOS does a lot to improve that security. Obviously, there will continue to be little bugs uncovered here and there, but recently Google has taken steps to reduce memory bugs (the most common kind of bug, which can result in serious zero-day exploits).
If one of us were to be "hacked" it likely would be by some other means. Most likely either by social engineering or a supply-chain attack, but then they'd still be confined to the app sandbox.