Things I have done:

-install adguard and route all my traffic through it

• enable always on VPN and block connections without

-firewall all apps to block internet connection

-only allow apps the apps i want to use internet on

-replace everything I possibly can with FOSS software

-disable everything google and use helioboard as keyboard

-install shizuku and canta to debloat as much as I can

-route all traffic through orbot (except apps that require me to login)

This is probably overkill but that's the best I could do on stock android 🤭

You can't. Some might say that the less adversaries monitor you the better. But you will never be private unless you ditch all the proprietary software and practice good opsec on the internet and in real life. Hate to break it to you, but privacy is fundamentally a binary thing: you are either spied upon or you are not, regardless if it's one hundred companies or just one.

universal adb debloater and rethinkdns

I assume you are using F-droid app manager, and also added IzzyonDroid repo to it? There you can get a lot of apps, like firewalls to block apps that call home when you don't really use them. Replace most of your apps with open source alternatives from F-droid. Get an email hosting alternative that isn't one of the big (spy, data mining) companies. Use decentralized privacy focused social media options. What type of phone manufacturer do you use and is it unlocked? You could use an android privacy rom like CalyxOS, that is what I use, completely de-googled, uses MicroG instead of Google Play services. A VPN would be my last option to add, especially when connecting to outside wifi.

With Shizuku and Canta, you can remove the spying system apps. You can break your phone though (fixable with a factory reset), so do be careful. If you want to play it safe, use the recommended list in Canta. These should be safe to remove.

F-Droid

Rethink DNS is both a firewall app, and you can run a VPN at the same time using a wireguard configuration.

I use a VPN system wide, and for some apps like Fennec or a Torrent app (yes I torrent on my phone lol), I use a different wireguard config for each one of these apps. For the systemwide VPN, its using a server in my country, for individual apps, it goes to switzerland or iceland (So the IP used to check for system updates isn't correlated to the IP used for everyday browsing, watch youtube videos, or torrenting). I block everything from internet access unless it needs internet to function, like a phone app for example (for VoLTE). Enable "block connections without VPN".

Mullvad has the cheapest VPN at €5 Euro per month, and ProtonVPN have some free servers, but free servers have slower speeds.

netGuard ☞ https://f-droid.org/packages/eu.faircode.netguard

https://thenewoil.org/en/guides/most-important/mobile-settings/

So one of the gotchas about stopped/disabled apps is that other apps can still call and launch them. I frequently saw my apps pop back up even after being disabled, since I used SuperFreezZ to monitor them. https://f-droid.org/packages/superfreeze.tool.android/

The alternative to that would be an ADB disable. IIRC it takes the app away from userspace completely. It doesn't touch the system-level though, so a factory reset will bring it back.

If you can't handle setting up ADB and it's hoops, there is an app combo that can set up a bridge and run the ADB disable for you: https://f-droid.org/en/packages/io.github.samolego.canta/

I'm lazy, bought my phone from Murena, they deGoogled it for me.

I guess you mean whatever factory OS is installed on your phone. Nobody uses stock OS.

What phone do you use?

Depends on what you mean by stock android. Google's phones do not come with stock android.