Apps already run in a sandbox in regular Android, and GrapheneOS gives you a few more options (e.g. storage scopes and whatnot). What GrapheneOS does differently is force Google Play Services to also run in that same sandbox, so it behaves like a regular app instead of a privileged system service.
Got it.
Could you run the other apps sandboxed too?
Like, install chase banking from play store, and run the app from the sandbox?
Also what about Microsoft authenticator
Apps already run in a sandbox in regular Android, and GrapheneOS gives you a few more options (e.g. storage scopes and whatnot). What GrapheneOS does differently is force Google Play Services to also run in that same sandbox, so it behaves like a regular app instead of a privileged system service.