I have been using grapheneos on a pixel 5 for more than 1 year now.
My pixel 5 setup was:

  • single user profile with insular to enable work profile.
  • gsf installed in work profile as some of my apps required gsf. E.g. banking apps and government apps.
  • this was working well as i received notifications for the apps in work profiles only.

I have just bought a pixel 7 and installed grapheneos. I am considering whether i should still create the work profile with gsf or should i install gsf in the main profile?

Its alright to install gsf in the main profile, work profile doesn't provide proper isolation.
you can disable the internet for all play services apps, but notifications no longer work.

in my opinion either you can go with a multiple user account setup or if you are not bothered about the IPC thing you can use everything in the main user profile that makes everything much simpler to use.

    W1zardK1ng thanks. Really appreciate it. If i do leave network permission to get notifications from my banking app, what am i trading off? Just my ip ?

      If you have google services installed with internet access, technically all the other apps installed in the same profile can send some bits of data through google play services using IPC even if that specific app had internet disabled.
      We are not sure what data is being transferred in this way and there are no proper ways to log this in aosp for now.