Unlocking the bootloader in Android is a massive security risk. It disables verified boot, a fundamental part of the security
model. Verified boot ensures the integrity of the base system and boot chain to prevent malware persistence. If an
attacker has managed to compromise the entire system and gain extremely high privileges, verified boot will revert
their changes upon reboot and ensure they cannot persist.
Verified boot is not just for local security as many people assume. Its main purpose is protection against remote attackers and the physical security is a nice side-effect.
Unlocking the bootloader is highly unrecommended.
Rooting your device allows an attacker to trivially gain extremely high privileges. In Android, by default,
unrestricted root is found nowhere due to the full system SELinux policy. Even the init system is not unrestricted
root. Exposing privileges far greater than init to the application layer is extremely silly.
It does not matter if you have to whitelist apps that have root. An attacker can fake user input by for example, clickjackers or they can exploit vulnerabilities in apps you've granted root to.
People often try to argue that if root was insecure then why does Linux allow root. Linux does not have a security model like Android does. On the usual Linux system, gaining root is extremely easy.
The majority of custom ROMs severely worsen the security model by disabling verified boot, using userdebug builds, disabling SELinux, not including firmware updates, lacking rollback protection and so much more. A common ROM that does many of these is LineageOS.
LineageOS uses userdebug builds which adds tons of debugging tools as extra attack surface, weakens SELinux polices and exposes root access via adb. LineageOS requires an unlocked bootloader and disables verified boot which is essential to verify the integrity of the OS. It does not implement rollback protection so an attacker can downgrade the OS to an old version and exploit already patched vulnerabilities (you can tell as the updater allows you to downgrade versions). It does not include firmware updates which prevents you from getting new patches to fix vulnerabilities. And there are so many more issues.
MicroG is a common alternative to Google Play Services. Many people use this to get rid of Google tracking on their device but many people do not realise that this substantially worsens security by requiring signature spoofing which allows apps to request to bypass signature verification.
Firewalls such as AFWall+ or
Netguard are regularly used on Android to attempt to block network access from a specific app but these
do not reliably work. Apps can use IPC to bypass the restrictions. If you cut off network access to an app, it
will not prevent the app from sending an
intent to another app (such as the browser) to make it make the same connection.
Many apps already do this unintentionally with things such as with the download manager.
The best option for privacy/security on Android is to get a Pixel 3 and flash
GrapheneOS. GrapheneOS does not contain any tracking unlike the stock OS on most devices and includes many
hardening enhancements such as a hardened memory allocator,
hardened C library,
hardened kernel, stricter SELinux policies
Pixels are also the best hardware to use as they have lots of hardening other devices lack such as full verified boot with support for custom keys, hardware backed keystore, hardened basebands, IOMMU to isolate hardware devices, kernel CFI etc.
Remember that GrapheneOS cannot prevent you from ruining your privacy yourself. You still have to be careful regardless of the operating system.