I have been modifying my phone and using custom roms since the days of WM5. When android came out, and I got a Droid Eris, I immediately started doing the same thing. Back then I did it for fun, until I noticed the push toward information collection from pretty much everywhere. In 2013-2014 I began a privacy journey to keep my information from being stolen from me through my use of any device connected to the internet. My phone left me the most vulnerable.
I started rooting my phone to install custom roms, and use specific tools like Xprivacy, which required Xposed framework. This app "spoofed" my info to keep my real data safe from being leaked to every app on my phone. Rooting my phone also made it much easier to do backups with all device data. Then I started removing Google Play services from modified stock roms when MicroG was first developed. This was the best option I knew to have a little more privacy, but still have functional apps.
Fast forward a few years to when privacy focused roms are being developed for the Google Pixels (GrapheneOS and CalyxOS). These allowed the bootloader to be locked to keep verified boot. This adds alot more physical protection, but I was still unclear how these roms protected my device data without it being rooted, Xposed, and with XprivacyLUA installed.
I know there are some tools that do not require root (App-ops and Shizuku Manager) but I think App-ops is closed source which I would like to stay away from.
Until now I am using my Pixel 6 with a privacy focused rom, but I keep it rooted with Magisk, with LSPosed installed, and XprivacyLUA. This makes me feel more secure that my data isn't being leaked, but I am more vulnerable without verified boot, and convenient OTA updates.
I would like to know if anyone has a solution for restricting or feeding apps false information that does not require root. Or does GrapheneOS implement ways to protect personal data and device information from being leaked?