Google Services / Profiles / privacy doubts after first steps

gosjos

Hi all,

First of all, I would like to thank the people at GrapheneOS fur such a great effort, and the rest of the community for sharing their knowledge in these forums.

I'm in the process of de-googling as much as possible after 15-20(?) years of using GMail, Google Search, Google Maps, etc.

My main target is privacy (versus Big Tech: Google, Apple, Meta...), but trying to balance it with the inevitability of having to interact with people that is not able to start the same path (so: Whatsapp needed, for example) or with services that require a mandatory Google Account (e.g., Google Family Link to oversight my children's usage of smart devices/internet).

In that sense, GrapheneOS (GOS) seems to be a great starting point .

I already had a Google Pixel 7a device with stock Android (the one from Google). Ordered a second 7a (second hand, couldn't find a new one) and installed GOS on it. My first device has been factory reset and now is being used by my wife.

On the second (GOS) device I have installed my SIM card. This device currently has two users: owner and "Full Google" (FG), following my ideal/planned setup (see below).

Owner has no Google Play/Services, only the GOS App store, Accrescend and Obtanium. No VPN currently.

The FG account is a separate profile in which I have installed Google Play/Services in order to install applications from Google Play, requiring my original Google Account (GMail, etc.). This profile has a Mullvad VPN always-on enabled, including the option to prevent applications using other connections than the VPN.

So far, so good. Probably using my SIM and my home wifi SSID, and giving access to Phone for some Google apps etc. is not a perfect approach, but I'm starting the process. The thing is that I've reached a point at which my feeling is that I cannot longer have a "clean" Owner profile. Obtanium and Accrescent are great, but Google Play Store is needed for many apps (banking, and others?).

My ideal (planned) setup was:

Owner Profile (no Google Play/Services, no Google apps, FOSS not requiring Google Services)
Private Space in the Owner (Google Play/Services, no Google apps, FOSS/ propietary apps requiring Google Services).
Google-specific Profile [FG]: Google Play/Services, Google applications being phased-out (ideally, to be replaced by FOSS or that cannot be replaced -e.g., family link-)

Ideally, each one using a separated VPN profile.

So, my main doubts/concerns:

I've found some apps (banking, for example) that refuse to work when using a VPN. These apps need Google Play/Services. This seems to translate into requiring an additional Google-enabled profile without VPN? Looks like split VPN (excluding specific apps from VPN), which would be a possible solution, does not work with the "prevent apps from not using VPN" check.
Does it make sense to create a new Google Account to be used only in the PS? No burner/anonymous, since it is almost impossible to create a Google Account without providing a telephone number. I could get (pay) a dedicated number just for the validation process in order to avoid using my personal (already Google-known) phone number. In other words: which steps/setup (regarding Google Accounts) would you recommend in order to "start fresh" (if that's really possible).
Seems like either a Google Account is needed in the Owner to install Google Play apps and push then into other spaces/profiles or Google Play + Google Profile is needed for each separated Profile/Space requiring installation of apps from Google Play (no app pushing from other profile than the Owner). If this is so, in the first case, looks like it is almost impossible to have a "clean" Owner profile without refusing to use any app from the Play Store, isn't it (I'm assuming no Aurora Store, seems like it does not offer a real privacy advantage)

I guess that all this boils down to: is the aforementioned "ideal setup" plus non-VPN additional profile really possible (given my constraints)? Or should it be revisited (Google Account in the Owner, etc.)? What would you recommend?

Any other consideration (specially regarding privacy, reusing devices/Google accounts...)

Thanks in advance,
GosJos

nologo

Hi! My advice would be not to overthink matters and to keep your setup simple. Instead of having a private space with Google AND a secondary profile with Google, why not just put all your Google stuff into that private space? So you would then have your owner space full of cool FOSS stuff, and a private space within it for Google stuff. And no secondary user profile.

JacksWendel

Whats the technical/security/privacy impact or difference between private space and another user profile

nologo

JacksWendel Whats the technical/security/privacy impact or difference between private space and another user profile

I don't know enough about the technical differences to be able to answer your question, to be honest. I do know the difference in convenience and usability is huge. Switching between owner space and private space is much easier and less disruptive than switching between different user profiles.

bionic Banks truly suck.

Your bank sucks, I guess. My banking apps work fine in whatever profile or private space, without Google Play Services, and with Mullvad VPN on (and without split tunneling). Perhaps you should find a better bank.

bionic

Im experiencing the same issue with banking apps not happy with the always on VPN.

Excluded them via split tunneling, but that didn't work either. Apparently, as long as VPN is on in any profile and/or private space, then none of the banking apps will work.

Banks truly suck.