Quickly skimming through the actual study shows they seem to mainly have looked at the packages installed on top of the Android system, but they also looked at the connections being made. Not sure which part of the study the reference to “vendor code” refers to.
For the most part it should. If you are a high-profile target (activist, journalist, whistle blower etc.), you shouldn’t be using /e/ anyway. Consult a security professional instead. As a normal user, you should be reasonably fine.
I can confirm a lot of their findings, though of course on a more superficial level. Installing NoRootFirewall or Blokada on Xiaomi devices with EU rom shows a lot of traffic, even if everything is configured in the most privacy friendly way possible and no accounts are created or logged in. Whenever you connect it to the internet, looking at the connection log is like looking at a fountain. I found the devices also had certain semi-random times when multiple apps and tasks suddenly became super chatty.
The EU roms also come with a lot of bloatware, some of it Chinese like Aliexpress and the default Office software, some of it from the US like Facebook or Google apps, Netflix etc. All of these launch at boot and most happily transmit data even though they have never ever been opened even once. Some of them can be uninstalled by the user, some can’t. It appears this is just worse by a magnitude of 3 to 4 times in the Chinese version of the ROMs.
The system itself has a lot of components that cannot be uninstalled or deactivated by the casual user that constantly chat with Xiaomi servers. All activities in the default browser trigger connections. A lot of the system traffic also seems to be related to advertising.
For EU and India ROMs, the target servers appear to be located in Singapore and operated by Alibaba Cloud.
However, while the extent of this is certainly staggering, western companies do this, too. You can’t use most non-Chinese Android phones either without sending crazy amounts of data to Google as well as the device manufacturer. The majority of common commercial apps that are pre-installed on western Android systems also connect to things like Facebook, Google Firebase Analytics and app-measurement.com on every startup without asking for consent or option to opt-out, some even constantly transmit data without ever having been launched.
Apple also seems to verify certificates on every app launch (on both iOS and macOS), which in turn theoretically allows them to track which apps are opened and when.
Chinese companies are certainly more aggressive in this regard and the state is certainly more oppressive and the integration between companies and the state is tighter, but the problem itself is not a uniquely Chinese one.
Installing /e/ on Xiaomi devices stops those transmissions as far as I can tell (except for those inevitable ones to Google that are documented by /e/), so for the casual user, they seem to be more than safe enough once the manufacturer ROM is gone. All phones include US-, Korean-, Japanese- and Chinese-made components with their own firmware and security vulnerabilites, so no phone can really be considered 100% safe.
The Chinese state also has other means to track cellphone users, such as access to the provider communications through network operators on small islands, by manipulating routing tables to route cellphone traffic through China, access to millions of consumer internet routers, apps like TikTok and more. These days, we can also add flying balloons that can intercept radio communication to that list.
As long as US and EU regulations block secure end-to-end encrypted standards for mobile communication and old systems stay in place which assume that every network provider is trustworthy, we have to live with the fact that our communication over these networks and to an extent also our location will remain exposed to malicious actors.
In short, based on what we know so far, I’d say using a Chinese phone with /e/ is less problematic than using a western phone with stock ROM. But I’m happy to revise my stance if there are new findings.