Pretty low
One thing you can do is install F-Droid and only use apps installed from that. That way, all your apps will be compiled from source code by the F-Droid team and checked for proprietary dependencies, trackers etc. Be aware that F-Droid don’t remove apps after they’ve been included, even if they haven’t been updated for years, so look for apps with recent updates, especially for anything that matters to your security.
Also keep an eye out for the lists of “anti-features” that F-Droid adds to the description of some apps. These are things like the app being free code itself, but used for connecting to a non-free server. You need to decide for yourself what compromises to make here for the functionality you need.
If you can get root on your device, consider stripping it right back to the essentials of the OS, and replacing every component you can with one from F-Droid. Eg replacing the default SMS app with Silence and replacing Goggle Maps with OSMand+.
Ironic, in the context of the OP, that the xda-forum website serves up Javascript from a bunch of third-party domains controlled by Goggle, and uses Cloudflare which centralizes the web, and tends to make it hard to reach for Tor users.