grapppp It totally depends on your threat model and what you're trying to accomplish. There is no one "right" way to do profiles...
For example, I separate sensitive apps away from main profile and also separate apps that I consider more hostile into other profiles.
DeletedUser115 I'm starting to get the idea and sorting apps in my mind. What do you use the main profile for? Is it just phone calls and SMS separated out?
grapppp I don't use the Owner profile at all. Instead I have one user profile "main" where I have most of the apps that I use all the time... Another profile for banking. Other profile for matrix client because I consider it hostile.
DeletedUser115 Why do you not use the Owner profile? Is it the same as Linux root? I know it's not actual root, I mean that it has more priviledges or access to something that other profiles don't?
grapppp Not exactly... Owner is different from other profiles in two ways:
It is always unencrypted and always running. You can't use another profile and not have Owner opened. I need to use some profiles like banking with no other profiles running on the background....
Some system settings can only be changed from the Owner profile. So not using it provides an extra assurance such settings won't be changed accidentally or maliciously.
DeletedUser115 Very smart solution, I will follow suit. However why is the Owner profile unencrypted? That would mean that you should not store any data on the Owner profile, such as pictures?
grapppp No Owner profile is encrypted at rest like any other... However it's always running which means open. So you can't use some profile with hostile apps and not have Owner opened.
DeletedUser115 So when I switch to a hostile app profile, other profiles are off except for the owner, which is why it's safer to not have anything on the owner profile. Thank you for explaining.
grapppp yes... Please note you need to tap End Session to shut down a profile, it doesn't happen automatically when you switch to another profile. And yes, owner cannot be shut down like that and is always running.
DeletedUser115 Matrix is hostile? Do you mean Element?
Arnauld it's an inbound communication channel... So I consider it hostile... Client doesn't matter, any client may have vulnerabilities
DeletedUser115 Thank you for explaining this further. I will make use of this and think of how to best categorize my apps. Right now I'm deciding if there is any point to separate hostile apps to separate profiles and what I must have in the main profile. For example I would like to have maps but I don't like phone calls because they are not encrypted so I use Signal. Maps can be offline but Signal will be online. If Signal has a vulnerability then my maps data (location data) would be compromised. I know I will be taking pictures of some things too at times so my pictures will go to the main profile too, which means that they would be compromised too. The same with taking notes which can also be offline...
I dont know much about Graphene / security, but you could install some apps in the workprofile.
You could use an crapp app there, if you need notifications from it. You would get these notifications, while you are in your normal profile. And the App couldnt access your Pictures for example. But with your File Manager you could copy Files to your Work Profile.