Is having the user_id in attr_accessible dangerous (mass-assignement)?
yes it is, you should avoid adding foreign keys to attr_accessible most of the time, although there's scenario that it's ok to use (if the association publicly accessible like countries for example) or if you override the setter and do some kind of check..
Did I have to put my profile creation in a controller (registration create) using a transaction? (Here if my profile fails to build I have still a user record)
just add validates_associated :profile
in User model and maybe also validates :profile, presence: true
(kinda forgot if validates_associated allow nil or not)