I’ve been trying to switch over to Graphene for about a year now. For context, I have an iPhone 17 an Apple TV, and a Macbook Air M3 (I have a second old ThinkPad on Fedora). I also own a Pixel 9 Pro flashed with GOS. I use Proton VPN, Proton Mail, Ente, Proton Pass and Bitwarden, Proton Drive and Filen. I have AdGuard Pro on my iPhone, though I’m not sure it does a ton. I do have one Gmail account because I am a YouTubeTV subscriber. All of my most important conversations are on Signal, but there are still several folks I communicate with on iMessage, which as we all know is preferable to SMS and (to some) E2EE RCS.
My threat model is mainly concerned with keeping my communications as private as possible and with keeping my daily location as private as possible (i.e., mortgages are matter of public record and I cannot avoid that, but I want the ability to heavily control what apps see my location and when, like GOS allows). If I migrated entirely, I would want to delete my AppleID. For those reasons, I think GOS would only really work for me if I made a fresh AppleID and paid for hosted BlueBubbles on my Pixel (I still want to be able to use my number). But that would involve both keeping Google Services on AND making payments through the Google Play Store. I understand E2EE RCS is coming to Apple, but I believe BlueBubbles would be less of a privacy concern than installing Google Messages on Graphene.
Would this migration really earn me any kind of privacy upgrade? Is having Google services AND Google Play Store going to ultimately negate any benefits I get from being on GOS?
No. On GrapheneOS, Google Mobile Services (GMS) are sandboxed, as per the GOS documentation. Compared to “stock” Android distributions (e.g. Samsung, among others), GMS have much less access to your data on GOS. Even if you give the few necessary permissions to GMS to make RCS to work, as per the GOS RCS guide, GMS will still have nowhere near as much access to your data compared to “stock” Android distributions.
You’d be getting most of your “passive” data out of the Apple ecosystem when using GOS instead of an iPhone. Apple controls iPhones from top to bottom, and can see everything you do on them. That’s a massive amount of “passive” data they can see. I’d say blocking that avenue alone by switching to GOS is a massive privacy benefit (to me personally), even if you still need to partially tip your toes into the Apple ecosystem here or there.
Your title poses the main question. Is it worth it? I’m sorry to say, but that’s something you’ll have to make the call on your own. Do you value what Apple offers more than the privacy benefits of GOS? None but you can make that call for you. We can only help you find out the pros and cons of each call.
Whatever you decide, good luck on your privacy journey. 
3 Likes
GOS sandboxes google play services and limits the information they can get about you, so it will increase your privacy compared to regular android (non-sanboxed google services operating on the OS level) or iphone (apple is getting a lot of information).
Graphene has written a lot about how their sandboxed play services work, so you could read about that if you’re interested.
Okay, I might as well post some info here.
GrapheneOS has a compatibility layer providing the option to install and use the official releases of Google Play in the standard app sandbox. Google Play receives absolutely no special access or privileges on GrapheneOS as opposed to bypassing the app sandbox and receiving a massive amount of highly privileged access. Instead, the compatibility layer teaches it how to work within the full app sandbox. It also isn’t used as a backend for the OS services as it would be elsewhere since GrapheneOS doesn’t use Google Play even when it’s installed.
Since the Google Play apps are simply regular apps on GrapheneOS, you install them within a specific user or work profile and they’re only available within that profile. Only apps within the same profile can use it and they need to explicitly choose to use it. It works the same way as any other app and has no special capabilities. As with any other app, it can’t access data of other apps and requires explicit user consent to gain access to profile data or the standard permissions. Apps within the same profile can communicate with mutual consent and it’s no different for sandboxed Google Play.
Sandboxed Google Play is close to being fully functional and provides near complete compatibility with the app ecosystem depending on Google Play. Only a small subset of privileged functionality which we haven’t yet ported to different approaches with our compatibility layer is unavailable. Some functionality is inherently privileged and can’t be provided as part of the compatibility layer.
The vast majority of Play services functionality works perfectly including dynamically downloaded and updated modules (dynamite modules) and functionality provided by modular app components such as Google Play Games. By default, location requests are rerouted to a reimplementation of the Play geolocation service provided by GrapheneOS. You can disable rerouting and use the standard Play services geolocation service instead if you want the Google network location service and related features. This shouldn’t be needed outside of testing or obscure use cases, since GrapheneOS provides its own opt-in Network Location feature.
Our compatibility layer includes full support for the Play Store. Play Store services are fully available including in-app purchases, Play Asset Delivery, Play Feature Delivery and app and content license checks. It can install, update and uninstall apps with the standard approach requiring that the user authorizes it as an app source and consents to each action. It will use the standard Android 12+ unattended update feature to do automatic updates for apps where it was the last installer.
Of course, what specific programs you run on android versus ios could impact privacy, but you should be able to use open source programs for most things on graphene.
Have you seen Openbubbles? It might solve some of your issues. Self-host quickstart | OpenBubbles