Best practices for multiple user profiles

hello-gos

I have bee using GrapheneOS with just the owner profile for a few years. I am interested in expanding to multiple profiles to segregate apps and data.

I assume that avoiding app installations completely in owner profile would be most secure but comes with more admin and space duplication for apps used in multiple profiles so would like to avoid this kind of setup if possible.

The most pragmatic approach I've seen is to install all apps in the owner profile and disable the apps immediately. Then push them to their corresponding profiles.

Is this approach secure? What are the downsides?

For example, can malicious apps cause issues in this kind of setup since they are installed in the owner profile? Any other issues to be aware of?

mmobder

hello-gos The most pragmatic approach

... is to have owner as a daily driver, private space for separation (+ work profile if you must have 3rd id, though it will be deprecated), waiting for multiple private spaces.