Hey Everyone,
I understand that GrapheneOS treats GPS just like any other application: users have control over permissions. For example, I can disallow GPS from accessing my location or sensor data. However, I'd like to get a better understanding of what other information Google might be able to obtain when using Sandboxed GPS with apps from the Play Store.
For example, I've been a long-time Spotify user and wish to continue using my account. When I set up Sandboxed GPS, I made sure to use a new google account that isn't in any way associated with my identity (no phone number, no recovery email associated with me, etc). However, once I log into my Spotify account while GPS is active, will Spotify be able to send my account information they've collected to google via GPS? They may choose not to, but Spotify is closed-source, so they could really be doing whatever they want with my account or profile data.
TLDR: What can be sent to google through Sandboxed GPS? Can apps use it to send Google any kind of information, or is GPS limited enough in scope to only receive certain kinds of information from apps? Can the information that I give to closed-source apps become associated with the Google account being used with GPS (ie. login with Spotify account -> Google now associates that Spotify username/email with the account that I use for GPS)?
I'm pretty certain (and it seems pretty obvious) that the answer to all of this is a resounding YES, but I also just want to understand a little more about how Sandboxed GPS works, and what kinds of information is typically sent from Play Store apps. Obviously a good solution is to make new accounts for Spotify, etc that are set up with more anonymous information.