Should I install all of my Google stuff in another profile so I can use the "end session" feature as a sort of kill switch? Does installing all of the Google stuff in the owner profile allow it to access core system files or other profiles or something that they otherwise wouldn't be able to access if they were on a different profile?

    Geodude365 simple answer - keep it simple and use Owner profile with sandboxed Play Services (if you need it, i.e. "Google stuff"). Long version - it depends on your threat model.

      Geodude365 No. The owner profile is like other profiles, so it has to no additional access. Sandboxed Google Play means that the Google apps are regular sandboxed apps, so the same rules apply to them as all of your other apps. Apps in the owner profile can't see apps in other profiles, the same as apps in secondary user profiles.