matchboxbananasynergy
Thank you for your help, and the help from others! I truly appreciate this community, how people are willing to share their time and expertise in helping people achieve their privacy and security goals. I would like to contribute by summarizing what I have learned so far.
These conclusions are in the context of my personal threat model, which is pretty vanilla. I want to avoid surveillance capitalism. I'm coming from iOS, having never used an Android, and I already use (mostly) FOSS and/or privacy-respecting apps, and very few apps in general. Spotify is my main weakness in terms of privacy, but I truly value the music discovery I get from their collecting my listening data, so it’s a known and accepted weakness in my threat model.
On GrapheneOS, there are many ways to install apps: sandboxed Google Play, Aurora Store, F-Droid, RSS and GitHub, and others. I will focus on these specified four from the thread discussion.
Sandboxed Google Play is a secure method for installing and updating apps, with some minor (in my threat model) privacy compromises (see notes below). I will use this option (for now) for installing apps. I will use a single-purpose Google account to log in to Google Play. I will install it in my owner profile to be able to use Spotify. If I didn’t use Spotify, then I would likely avoid Google Play and skip down the list to using RSS and GitHub to install apps (and forgo notifications in Protonmail as a result).
Aurora Store uses shared Google accounts to access Play Store anonymously. Great for privacy, but this comes with some security risks (e.g., the shared account might have opted into beta versions of apps). Aurora Store itself has security risks (see link below). I prioritize security before privacy in my threat model, so I won’t use Aurora Store to install apps.
F-Droid has security concerns, and since I believe security is a necessary condition for privacy, I won’t use F-Droid to install apps. Their website is still a great method for FOSS app discovery. I hope the security flaws are fixed, because I would truly love to default to this store with its combined ease of use and focus on FOSS apps.
Security risks of using Aurora Store and F-Droid are explained in more detail in this link that was shared earlier:
https://privsec.dev/posts/android/f-droid-security-issues/
RSS and GitHub is a secure, but more complicated, approach to installing apps, and has privacy benefits over using Google Play for apps. This approach requires some skill and places a lot of the security responsibility on the user: (a) downloading the app from a reputable source; (b) verifying its signature; and (c) keeping it updated in a timely manner. It seems like the most complicated part is how the key signature is distributed to users, especially with respect to security. With TOFU (Trust On First Use), signature verification is luckily a one-time chore per app. Keeping it updated might be more tedious than Google Play, in exchange for being (more) free from Google. If I didn’t use Spotify, I would use this method instead of Play Store.
As a result of choosing sandboxed Google Play to install apps, I will face these potential privacy cons:
Con: Google Play can collect data about notifications (but not the content if encrypted, like Signal messenger), and probably app metadata. Solution: n/a
Con: Google Play can see a list of installed apps on that profile. But, so can all other apps in that profile. Solution: Install Google Play on secondary profile(s), if that provides other actual benefits (e.g., having two sets of contacts).
Con: Google Play can access some user settings like timezone and language. Solution: n/a
Con: Google Play increases attack surface, and creates an extra attack channel via notifications. Solution: n/a
Con: Google Play can communicate with other apps via mutual consent, and those apps can leak data to Google that way. Solution: 1) Install Google Play on secondary profile(s) away from sensitive apps; 2) In profile with Google Play, choose apps that are unlikely to willfully sharing data with Google (i.e., FOSS apps, privacy-friendly apps).
For future actions, I will continue to educate myself about the RSS installation method, and I will keep an eye on Accrescent and consider it when it transitions out of alpha-beta phases.
Thank you again to everyone for your help!