Pretty obvious. As so often a tradeoff between security and convenience. Shelter being able to freeze apps (saves battery!) and providing second app instances on one user is a nice thing beyond any security considerations.
It does make sense to use at least one additional profile on GrapheneOS: Because the session of additional users can be ended opposed to user 0 → unload encryption key and reach "before first unlock" condition for secondary profiles. I've never noticed the importance of before first unlock compared to after first unlock before.
I have to confess that I solely rely on emergency power off for protecting master keys in RAM on desktop computers. Quickly grabbing RAM and cooling it down hoping to receive the master key sounds absurd and gets harder the more dens and more quick RAM becomes. Even with 1990s technology this wasn't reliable enough for having the (in)famous Stop 'n' Swop feature to be actually used in Banjo Kazoozie (and swapping an N64 cart is a whole lot of easier and quicker than opening a desktop PC cooling and removing RAM).
Direct memory access is/was possible with Firewire and there might be other possibilities.
All in all reading about this topic for two weeks now brings me to one conclusion GrapheneOS is pretty much the only alternative if you are very serious with Android security!
*Sigh* Maybe Pixel 8 series drops price a bit when the 9 series is released.
=========
About Device Owner apps: They are not exactly intended to be security addition for a private users, but for enforcing company rules. Protecting someone else's interests instead of your own. Android Device Policy Control as offered by commercial solutions with remote administration, remote surveillance and whatnot is the opposite of securing your data (though it may make sense for corporate owned devices – given that the remote administration tool itself doesn't contain exploitable security holes).
A pretty young app named OwnDroid looks interesting (and can remove itself if desired). Unfortunately the documentation beyond a short readme file is only in Chinese for now. The app itself has already been translated to English. Readme mentions Google's Test Device Policy Control (Test DPC) App. Have not fully tested the latter yet because it looks more complex.
Independent code audit would be prerequisite before trusting and giving any app Device Owner role, THE most powerful and dangerous role available not counting root access. This promising app reminds of local Groups Policy object in Windows. Just like local Group Policies you can lock/unlock certain functions for yourself opposed to AD domain controlled group policies enforced by the admin.
Many possible user restrictions are pointless, like disabling screen brightness control. Seriously? What for would the admin prevent a user from adjusting screen backlight?
I can see a few of these being useful (toggling the options to "on" position makes enforces a restriction). Example screenshots:
Freezing network configuration, disallowing Bluetooth (sharing) and USB data connection could prevent opportunistic quick copies if your attention isn't at 100%.
Sadly these DPC restricting options can be (and probably already are) abused by colorful, shitty parental control software (bundled with 100 tracking modules connected to the vendor); Software for those bad people who want to solve sociological problems, problems of upbringing kids, with technological methods. The only thing missing for parental controls are a separate from app login (parent PIN) and automatic conditions to enforce the DPC restrictions (WiFi 1 hour a day, not in the evening…)
OwnDroid also explains why Seedvault backup died the moment Sentry was installed. It seems installing any Device Owner app disables the backup service by default – this would probably also be true for the Google Drive backup on stock ROMs. But here the service can be reactivated. In this page (System manager → Options) toggling to "on" positions actually turns on a feature and not a restriction.
