Stop believing the lie fed to you that Android and all other forks are different from GrapheneOS, another AOSP fork. Android fundamentally is sandboxed as far as running apps is concerned. GrapheneOS is just a feature rebranded AOSP fork with practically no security advantages.

3. I saw that Firefox isn't exactly private(?) and that Vanadium is better in that aspect but I don't understand why. Can someone ELI5, and help me see if this is a relevant concern for me?

You could do better by firstly getting out of the GrapheneOS cult, and secondly not believing the lies about Chromium and its forks being superior to Firefox. Tor Project chooses Firefox over Chromium for privacy and security reasons. These GrapheneOS clowns are not even 0.1% as good as Tor Project experts, and this AOSP fork is only "developed" (feature rebranded) by one person, if you check its GitHub.

Thirdly, understand that no matter what you do, the smartphone is fundamentally hard to make bulletproof, considering its nature as a communicator device. You already have solid security on Android since years, no matter what you pick.

Fourthly, you will have a way easier life with my non-root smartphone guide, all of which is steps you do, and not do complicated things that do not even carry a guarantee of security or honesty from developer's side.

They lie to the extent of going around in tech YouTuber comment sections and claim they have $1M Cellebrite Israeli toolkits to verify grapheneOS is safe against bootloader attacks like Evil Maid. https://i.imgur.com/woNxPhx.jpg

Please read the paper by Ken Thompson, co-creator of Unix and C, on why we should be able to trust the developer and NOT the code. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf