Bootloader must remain unlocked after installation is not a /e/OS specific handicap, but with a few exceptions, a general one for devices running custom ROMs. The problem comes from the device manufacturer.
It is therefore up to the user to decide whether to continue using an outdated, fully googled stock Android (with locked bootloader) on a device that has been written off by the device manufacturer and has not been supported for years, or to use a current degoogled, ungoogled custom ROM such as /eOS with an open bootloader.
Reminder N° 1
Research published by Digital Content Next in August 2018 revealed staggering facts about passive data collection
Reminder N° 2
In the study “Contact Tracing App Privacy: What Data Is Shared By Europe’s GAEN Contact Tracing Apps” by Douglas J. Leith, Stephen Farrell, School of Computer Science & Statistics, Trinity College Dublin, Ireland, July 18th, 2020, it was stated that Google Play Services can even be classified as particularly problematic in terms of privacy protection, as Android smartphones connect to Google servers every twenty minutes or so and transmit a lot of personal data in the process - despite what the researchers call a “privacy-conscious” Android configuration. In this “privacy-friendly” configuration, Google Play Services still contacts the Google servers every 20 minutes or so and transmits the phone number, SIM card number, unique device number (IMEI), device serial number, Wi-Fi MAC address, Android ID, Google account email address and IP address, which could enable fine-grained location tracking via the IP address.
Reminder N° 3
Security researchers led by Douglas J. Leith, School of Computer Science & Statistics, Trinity College Dublin, Ireland, March 25th, 2021 found out …
in the study “Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google” …
