Roger
Whilst I recognize the luxurious feeling of being able to use an Android eInk tablet, that device will never achieve any semblance of security and privacy.
For those who don't know, Boox devices run highly customized versions of Android.
I bought a Boox tablet a couple of years ago and, after having spent time getting to know the clunky menus, I was amazed. I could browse the web, read the news, encyclopedia articles and all that good stuff on a comfortable 10" eInk screen without getting eye-strain and without being distracted. I could borrow thousands of ebooks and magazines from my local libraries and read them instantly. It felt like a dream come true.
After a while, I started to feel uncomfortable at the idea that I didn't know which data the device was collecting on my usage, and what the company was doing with it. I wasn't doing highly sensitive activities on it such as banking or private messaging, but still I felt slightly uneasy at the possibility of something sucking up my activities on the device. So I installed RethinkDNS and blocked every unfamiliar domain from accessing the internet. Having to allow each domain I wanted to visit was a pain.
The thing is, Onyx is entirely in control of the operating system. How could I be sure that the device wasn't somehow bypassing the domain blocking? How could I know that there weren't VPN leaks? I still felt uneasy. I considered setting up NextDNS to block domains on the network level, but then there would be yet another entity to trust. But what about using a Raspberry Pi with the Pihole software? That also seemed like a pain.
Then I was taught the inherent risks of using unpatched mobile devices. I was explained the dangers of using devices that have become, and are increasingly becoming, vulnerable to attacks such as remote code execution, with the potential for an attacker to gain full control of a device without me being any the wiser. I felt even more uneasy. I realized that, by using a device with an ancient Android version and a low patch level, I wasn't only putting my device and home network at risk of compromise, but also risking a potential infection spreading to other insecure devices on other networks which I had no control over.
People talk about digital "threat models". Some claim that if you have a low "threat model", using an unpatched device is acceptable. The assumption is that, somehow, if their device gets hacked and their home network compromised, that's not too bad. I do not understand the reasoning that leads to that conclusion.
Whilst I loved using the tablet for internet reading, after having considered the above, I decided to factory reset it and use it solely as an offline device. This felt like I was retiring the device. I didn't want to pass on an insecure device to someone else, so what could I use it for? I now use it to sideload academic PDFs and textbooks, and I find the bundled reading app to be excellent for this purpose. Feels like I can finally tame these horribly formatted PDFs while comfortably reading them on a large eInk screen.
I've also found an RSS app for Android which can back up a database of download articles (although the feeds need to provide them in full text), and plan to sideload it onto the tablet. That's not as convenient as downloading RSS feeds directly on it, but still means I can quite easily sideload articles to read with my morning Sunday coffee. ☕ I can also use the excellent note taking app with the bundled stylus, if I want to (spoiler alert: I never do). I can also connect a keyboard and write my short stories directly on the tablet, which is easier on the eyes compared to staring at a computer screen for several hours.
Otherwise, I use my much lighter and smaller form Kobo for reading reflowable ebooks. I decided to keep that one offline simply because I have no reason to trust that Kobo doesn't suck up my data.
I find that my "threat model" can partly be summed up into the sentence "Just don't spy on me, creeps! 👀".