Is a firewall necessary in /e/OS? Hardening default install

I was told by the developer of Netguard that all incoming traffic is blocked by default in Android.

Is this also the case in /e/OS?

If that is true, then why do so many Android users install a firweall like AFwall+?

I’m not really concerned with outbound connections, but I definitely do want to take care to protect my phone as much as possible from anything inbound.

Any other steps/configuration that are good to harden the /e/OS system?

Any help appreciated and thanks in advance.