Currently, Bluetooth pairings are global and ignore any user boundary transitions. This means that a device paired by one user will remain available after logout and another user logging in. For the vast majority of device classes / use cases Chrome OS currently supports, this is reasonable.
With Chrome OS expanding into new form factors, sharing Bluetooth pairings across users sessions can become a risk. For example, consider the case of a detachable with a semi-permanently attached keyboard:
1. User in public space briefly leaves device semi-unattended (e.g. leaving device with acquaintance while going to restroom)
2. Attacker replaces permanently attached Bluetooth keyboard with identical-looking malicious one that contains a keylogger, signs in using guest session to pair it.
3. User comes back, not noticing the swap, logs in using keyboard, thereby revealing their password to keylogger.
We're generally moving in the direction of adding restrictions that prevent external accessories being picked up in user sessions from less trusted contexts. Examples include usbguard (see issue 869063), and detecting and flagging swapping of detachable USB keyboards (see issue 732626).
Sooner or later we'll want to expand this to Bluetooth as well, i.e. either stop paired Bluetooth devices being adopted when starting a user session automatically (might make sense for non-keyboard device classes) or flagging paired devices that the user in question hasn't used before with the device (for keyboards, similar to the USB base swapping functionality).
Comment 1 by harpreet@chromium.org
, Oct 9