I’m using GrapheneOS for quite some time now. And i used to have a work profile with GSF and “privacy invasive” apps. I’s recently reset my phone, and am wondering if i should have a work profile as before, of if i should create user profiles for those apps (as recommended by Graphene’s community).
The threat i’ve been explained is that work profile is managed by an app (shelter or insular) and it adds a layer of vulnerabilities, and an app to be trusted. Therefore, they recommend to create different user profile as they’re native in Android.
I would say the recommendation is based on your threat model.
If your threat model requires big security, the you should use different user profiles. If not, then it is about your personal preference.
The advantages of work profiles are that
you can run apps in it simultaneously with your user profile and
(in my view) easier to setup (no need of replicating setting etc.)
but the advantages of user profiles are
more/better sandboxing and separation (each profile has it own signing key, more on the feature page of the GrapheneOS site: Features overview | GrapheneOS)
not being reliant of apps like Shelter, that can give additional attack surface and
not being limited to create only one work profile per user profile.