Android Privacy Setup Review

Threat Model & Goals

Objective:

1. Avoid or minimise invasive cloud-based AI features where possible.
2. Reduce exposure to mass surveillance and age verification.
3. I’m not assuming targeted surveillance by intelligence agencies; I just don’t want to be an easy data harvesting target for big platforms, governments/law enforcement, and data brokers.

Convenience Balance & Constraints: I don’t want to make drastic changes that significantly limit social interaction, convenience, or when the privacy gain starts becoming very minimal compared to the effort, or steps that require flashing a custom OS, self-hosting, or paid services. I’m using the free plans of all the services I mention below. I favour open-source, but don’t strictly need all apps to be open-source, especially if the service is independently audited and widely trusted.

Experience: I’ve only really started being aware and serious about privacy since the start of 2026. I’m an Android-only user.

What I’m Looking For:

1. Feedback on my threat model and “diminishing returns” approach.
2. Help designing a long-term privacy stack (VPN, DNS, email, drive, passwords, notes, photos, AI) that I can stick with for years without constant switching.
3. Opinions on: Proton ecosystem vs diversification and Bitwarden vs Proton Pass vs KeePass

Mobile Setup

• Device & OS: OPPO running ColorOS 16

• App Store/Sources: Primarily Google Play Store, but I also use Obtainium for downloading open-source apps and F-Droid Basic as the repository to find open-source apps.

Primary Apps:

• Communication: WhatsApp or Google Messages with RCS

• Email: Proton Mail and Gmail

• Calendar: Proton Calendar

• Contacts: Proton Contacts

• Meetings: Google Meet

• Navigation: OsmAnd or Google Maps

• Cloud/Backup: Filen for most files, Google Drive for non-sensitive files I want easily accessible

• Photo Management: Ente Photos, Aves Libre

• Notes: Notesnook (cloud-synced) and Standard Notes (local/not signed into am account)

• Docs: Onlyoffice or CryptPad

• Tasks: Tasksorg

• Socials: Discord, Matrix (Element), Twitter (X), Mastodon

• Frontends: Redlib (Reddit), LibreTube (YouTube), Metrolist (YouTube Music)

• DNS: Mullvad DoT (Private DNS)

• VPN: Windscribe, though I barely use it

• Email & Aliasing: Proton Pass/SimpleLogin aliases

• Password Manager: Bitwarden (cloud) with KeePassDX backup

• TOTP: Aegis Authenticator (backed up to Filen)

• File Sharing: LocalSend, though in practice, I usually just use WhatsApp because everybody I communicate with uses it

• Browser: Brave for daily browsing and accounts, Cromite for disposable searches, and Tor Browser for more sensitive searches (also tried DDG, Firefox, and IronFox)

• Search Engine: Brave Search (also tried DDG)

• AI: I’ve tried Proton Lumo, Brave Leo, and Duck AI

Specific Questions

1. Is using Mail and VPN from the same company “putting all my eggs in one basket”?
2. What pros and cons have you noticed for going “all-in” on the Proton ecosystem or diversifying and how much does it affect your workflow, whichever fits you better?
3. Any thoughts on YT Music clients? There are quite a lot of them but I rarely see them mentioned in reputable privacy sources, maybe because most of them are hobby projects.
4. Given my situation, how would you design a long-term privacy stack that doesn’t encourage constantly switching between tools?