Here's what I've figured out so far, reading up on stuff here and making decisions about my threat profile...
threat profile:
Low risk, high probability: manipulative content curation via algorithmic voodoo, and straight-up propaganda.
high risk, low probability: overzealous law enforcement getting a bee in their bonnet about me for some dumb reason.
Countermeasures: use GOS. don't use apps like facebook, twitter, etc that are specifically designed to figure me out; use silent link for data, jmp.chat for legacy calls and texts because my family is a bunch of old farts who refuse to care about privacy. might do SMS pool for legacy sms crappy 2FA because companies still don't know how to use actual 2fa i guess. don't use google. Put Microsoft apps on a separate profile for work, put personal life on its own profile, stay off the owner profile unless i gotta use it to mess with settings. use Mullvad VPN and DNS. and don't be stupid, stupid, but also don't spend five years going down a rabbit hole of futility about trying to lock everything down, because I don't need to go through all that effort for diminishing returns.
that being said, I just turned the pixel on and it's asking me to connect to the internet, and i did, because the GOS install site said i needed to update it to make sure it has updated firmware... and then the pixel said it was sending stuff to google. So now I don't know how to proceed - set up offline, then connect to the internet and update later, or set up online? I have to do some junk to set up esim stuff to make silent link work, but i think i don't have to do that in basic android, right?