Is this concern reasonable or am I too paranoid?

Warning: long!

I’m working on my privacy and security setup and everything is going well so far, but I have some questions which I could not find reasonable answers for. My knowledge about tech in general is basic, so maybe the concerns are stupid or already explained somewhere but not understandable to me yet.

I have a phone with GrapheneOS. I keep apps to a strict minimum. All are FOSS and somewhat popular, with 1 or 2 being less so. I have experimented with compartmentalization using profiles, however, I chose to keep everything in one user because it was getting annoying. I would like to keep things that way, if possible.

I need to store sensitive personal information in a notes app, which can not be associated with the rest of the content on my phone, such as email account with PII and other apps that identify me. These notes need to be as secure as possible, because I do not want my journal entries and other stuff being found or broken into. However, I would like to keep this app installed in the same profile I use for everything else. Moving things from one profile to another just to put them in the app is something I would like to avoid, as I need to copy and paste a lot.

Questions:

1. I worry about another app being somehow able to access the data inside the notes app, or some possible future vulnerability affecting this process of data storage. I know sandboxing exists, but can it really be trusted? Do you trust it? Do you think another profile is undoubtedly needed for this level of threat, or am I exaggerating?

I have done quite a bit of research on FOSS note-taking apps. However, most of them do not support features I need, such as folder and subfolder organization, image and file attachment and to-do list inside a note. I do not want to create an account, so Notesnook is out (correct me if I’m wrong). Standard Notes is too simple. Feature-wise, Joplin seems to be the best, and I would not sync notes online. Though, from what I read, it looks like local database can not be encrypted, as it only works when syncing.

2. Is local database encryption a must, considering my concerns? I do not care about having to enter a long password every time I open the app, if it makes attacks like those almost impossible. But Joplin does not support that feature, as well as many others like Quillpad and Notally (or at least I think so). Does app data stays in a highly secure place, even if not encrypted? Ideally I would use something like a VeraCrypt container, but that is not available for Android and I can not afford a Cryptomator license (…anyone knows about a giveaway for the F-Droid version? it is so important… )

I think Safe Notes looks the safest and has local encryption, which is great for me, but unfortunately does not support the aforementioned features.

3. Do you have any app recomendation for my specific use case? Have you went through a similar issue and if yes, what have you done? Which app do you use?

Also, there has to be an option to export them in order to maintain local backups. Real pen and paper is not an option for now.

Uhh… this is unnecessarily huge. I’m so sorry, but I can’t help myself. Thanks for any advice, and you do not have to answer all questions.

It’s unnecessary to employ multiple profiles for your notes app. If an app manages to bypass sandboxing, opting for a different profile won’t offer any security. Both the security of the sandbox and the isolation of profiles rely on the same mechanism. If someone genuinely aimed to access your data, they could simply copy it directly from your hard drive. In this scenario, sandboxing wouldn’t offer any security. However, usually modern Android devices are encrypted by default.

I don’t have any suggestions for a notes app.

I am a long time user of joplin, you can enable E2EE and any cloud sync with that.

I guess I’ll throw in Techlore’s video about private notetaking.

YouTube: https://www.youtube.com/watch?v=BJw5tKPP1PY

PeerTube: The BEST Private Notetaking Apps Explained - Neat.Tube

Since a Veracrypt container would be your ideal choice you might want to look at EDS Lite. It can create and mount Veracrypt containers on Android.
Otherwise can’t help you with an advice for a notes app that would suit your needs.

Joplin is great, long time user and supporter here. But there 2 things I don’t like.

App PIN/password

There is no way how to lock the app (desktop or mobile) with PIN/password. And the creators said they will not do it, because “it’s a job of the OS”. Which I think it’s a stupid excuse. A lot of apps have it built-in, including notes taking apps.

Android app

Is really basic with ok-ish UI. Not great experience. I use it only if I have to.

Firstly, I can’t predict the future. I do not know what’s down the road. The most secure thing today, might be as insecure as a wet piece of paper tomorrow. That being said, so long as apps/services are sandboxed, I wouldn’t worry too much. Even so, BE CAREFUL on the permissions apps “need”, and you give. IF an app can access your files, thus your notes in (unassumingly) a .txt format, then in theory, they could read what you’ve written. Essentially not breaking the sandbox, but circumventing it, via permissions.

Only you can decide if it’s enough. Personally, I have not encrypted my local notes.

Maybe consider Obsidian. It has tons of features, including those found in Joplin. It also features Community Plugins, some of which enable vault encryption. Sadly, I don’t think Obsidian itself is open source, even if many plugins are. If you can get past it’s closed source nature, it’s a great app, that as far as I can tell supports everything you’re looking for.

There is actually a very active discussion on the subject if you want to check out, Open Sourcing of Obsidian - Meta - Obsidian Forum

the plugin ecosystem is pretty great in obsidian as its javascript based, its cross platform.

that’s unfortunately true. I had a lot of syncing issues with the android app in the past hence don’t use it.

on Mobile I just send a message on my Matrix client and If I have to add it to joplin, I do that on desktop.