tl;dr - Google Play Services aren’t installed by default on GrapheneOS and since they don’t have root permissions sideloading can’t be disabled.
GrapheneOS sandboxes Google Play Services, vs on stock the Google Play Services have root access, meaning they have full control and access to the system. This is likely how security settings could be changed without your permission, specifically a software update via OTA that just toggles the developer attestation requirement leveraging something in Google Play to “validate” the package.
In GrapheneOS (GOS) Play Services are sandboxed, which means they only have the permissions you grant them, and since you’re (ostensibly) not root on your device, you can’t give the services root. This means that Play Services can’t block side loading on your device because they don’t have the access/permissions to, and I can’t imagine a world where GrapheneOS kills it just because Google says it’s a good idea.
Further, GrapheneOS has committed to supporting current Pixels until their EOL (End of Life) as prescribed by Google (5 years for some, 7 years for others, from date of release, so YMMV). This means that so long as the device is still supported by Google, you should still receive updates from GOS, meaning it’s still a viable device so long as the hardware doesn’t fail.
GOS recently announced that they’re in partnership with Motorola to release a first party phone with them (Motorola Hardware, GrapheneOS installed) and the first units are expected to be announced or available (don’t quote me on this one as I don’t remember which it was and whether it was speculation or commitment) either later in 2026 or early 2027.
Happy to clarify further if I’m still not making sense (I do that sometimes)
Nope, I got it with that, thank you. I used to be on top of my game with tech. I repaired radios and technical systems in the army but as soon as I got out , I let it lax and fell behind. But you dumbed it down enough for me to get, thank you.
Can you ELI5?
tl;dr - Google Play Services aren’t installed by default on GrapheneOS and since they don’t have root permissions sideloading can’t be disabled.
GrapheneOS sandboxes Google Play Services, vs on stock the Google Play Services have root access, meaning they have full control and access to the system. This is likely how security settings could be changed without your permission, specifically a software update via OTA that just toggles the developer attestation requirement leveraging something in Google Play to “validate” the package.
In GrapheneOS (GOS) Play Services are sandboxed, which means they only have the permissions you grant them, and since you’re (ostensibly) not root on your device, you can’t give the services root. This means that Play Services can’t block side loading on your device because they don’t have the access/permissions to, and I can’t imagine a world where GrapheneOS kills it just because Google says it’s a good idea.
Further, GrapheneOS has committed to supporting current Pixels until their EOL (End of Life) as prescribed by Google (5 years for some, 7 years for others, from date of release, so YMMV). This means that so long as the device is still supported by Google, you should still receive updates from GOS, meaning it’s still a viable device so long as the hardware doesn’t fail.
GOS recently announced that they’re in partnership with Motorola to release a first party phone with them (Motorola Hardware, GrapheneOS installed) and the first units are expected to be announced or available (don’t quote me on this one as I don’t remember which it was and whether it was speculation or commitment) either later in 2026 or early 2027.
Happy to clarify further if I’m still not making sense (I do that sometimes)
Nope, I got it with that, thank you. I used to be on top of my game with tech. I repaired radios and technical systems in the army but as soon as I got out , I let it lax and fell behind. But you dumbed it down enough for me to get, thank you.