>The GrapheneOS community’s stance on decoy PINs is that redirecting to a secondary profile is not as secure as triggering a full device reset.

This isn't about security. Commercial forensic tools would be able to know if this was a user profile. Profiles aren't designed to be hidden nor even on Android. Certain features and settings wouldn't be available to the operator. You aren't decoying anything.

For something deniable we would be looking at reserving storage space for a deniable virtual machine instead.