Thanks for the reply and yes your synopsis of the problem is correct. Just to summarize as well as answer your follow up question, when I add the sharedUserId to my manifest and I attempt to enable kiosk mode I do not receive the expected broadcast message yet my device does successfully enter Kiosk mode. Likewise, when I subsequently disable Kiosk mode I do not receive the expected broadcast message yet the device successfully exits Kiosk mode. All other funtionality and behaviors work as expected though. Meaning, disabling of hardware keys, status bar, etc. work as far as I can tell. Then, when I take out the sharedUserId from my manifest, while not changing anything else in the code, I do receive the expected system broadcast message. As you can imagine, to account for this, our custom app has to do some weird logic checks.
I also tested this all using the sample app provided by you guys at the link shown above. I also tested these results on the newer S9+ and got the same results as those I've described. The S9+ I have is running Knox 3.1 with Knox api level 25.