when I looked at this in MS Teams/Outlook/Authenticator inside Shelter there was work to improve the Shelter behaviour - https://gitlab.e.foundation/e/backlog/-/issues/5648
If you read the gitlab issue on what jacquarg is commenting you’ll get an idea of what the current limitation is… it seems the use-case of “whitelisting a tracker for an app in a work-profile” isn’t accounted for yet
Trackers control: the first Advanced Privacy instance to start is the one which take the control around tracker detection and blocker. It should be the one from Main profile.