graphener
commented
1 month ago One caveat to this is that, if you follow my recommendation above, then you can't actually give an app permission to be a VPN without starting the app itself. (This actually seems to be the case already. A VPN app obviously requires network permission plus the VPN privilege, wherein I think the latter is not reflected in Permission Manager because it's special for some reason.) This is OK but it implicitly requires that the internet be disconnected while the VPN is being set up for the first time, because otherwise all the traffic from your apps would not be redirected by the VPN until it was set up and connected.
If you're in the Owner profile, you can install an app directly into some other profile. Then you can transition to that profile. After some atypically high profile transition latency (presumably because those new apps are being copied), you will arrive in the target profile. Then if you go to Permission Manager, and you look at Network (or perhaps any other permission), it won't reflect the fact that the newly installed apps have that permission enabled. This won't change until you actually open the app.
The fix would be to ensure that Permission Manager reflects all existing and newly installed apps, regardless of whether or not they've ever been opened. (Perhaps this applies to newly installed apps in the Owner profile too.) I don't expect it to update the list in real time (and it probably shouldn't) but it should be accurate at the moment I display it. (Obviously Owner can contain images of apps that aren't actually installed in Owner itself but are installed in other profiles. In this case, they wouldn't appear in Owner's Permission Manager, but they would appear in other profiles' Permission Managers.)
Moreover, it's scary that newly installed apps get automatic privileges, especially networking. This should be only upon opening the app and the user agreeing to grant the permission.