True privacy cannot be accomplished without a competent layer of security, and often times than not users make compromise security for "privacy". As a wise man once said "we must not assume that there are power users. If anything they could take decisions that reduce their security and feel they are improving it"
Use GrapheneOS or stock operating system on a google pixel device, the only recommended OEM is google
Warning: Do not root or keep the bootloader unlocked. Avoid custom roms like Lineage OS and its derivatives. It weakens various SELinux polices and exposes root access via adb. The majority of custom ROMs severely weaken the security model by disabling verified boot, failing to provide firmware patches, using userdebug builds, disabling SELinux, and various other issues, they focus on customization not security or privacy. Also Comparing Magisk manager (as an excuse to root the device) to Android's incredibly tight SELinux policy is ludicrous
Use Vanadium (if posible) or Bromite
Warning: These projects don't priorities on anonimity, if that is your top priority use the Tor browser instead
Don't use VPN services Use Orbot instead. It is a Proxy server project to provide anonymity on the Internet. It acts as an instance of the Tor network on such devices and allows traffic routing from a device's web browser, e-mail client, map program, etc., through the Tor network, providing anonymity for the user. The VPN mode in Orbot, is not a real VPN. the VPN mode makes use of Androd VPN-api to force all apps to through its own tor connection. They do it this way because the only alternative would require rooting your device.
Signal with VoIP number
ProtonMail and Tutanota are providers with a strong focus on security
Warning: Email itself is a legacy technology and there is no private or secure email, Don't go anywhere near email at all if any remotely sophisticated adversary is involved.
Use a password manager like Keepassdx or Bitwarden that generates secure passwords and stores them for you safely.
Use two-factor authentication (2FA) wherever possible, Use Aegis.