Hello,
I really enjoy grapheneos, and all the control it gives but found that without any parental controls to lock my self out of certain sites, I was wasting time on trashy sites, and going to sites that were negatively affecting my life. So since getting this phone I have been working on finding a way to block these sites and the various workarounds. My goals for this solution was that it must require entering a password, it must be free (no subscriptions at least), and it doesn't hand my device over to google/big tech. Here is what I was able to figure out, and for me it has been bullet proof.
Blocking is done by rethinkdns as an always on vpn with block connections without vpn on (great app for other reasons too). Rethink will do on device dns level blocking (counters network tampering, and phoning home all the time). Rethink also has some features to block apps that bypass dns, I did test it on vanadium when trying to use the private dns feature and it did block it (though wont need to worry about vanadium), as well as the normal android private dns feature. One of the flaws is that rethink doesn't support cname transformations. So I want to use safe.duckduckgo.com but to use the duckduckgo.com domain instead as vanadium doesn't support entering custom search engines, and because some sites use google.com as a internet check, but if i'm blocking google.com to avoid their explicit images, there is collateral damage (feature request??). Another issue is you can't really use a vpn as easily (though that might change if they allow more configuration through android broadcasting). Final con is Rethink has some intermittent performance issues but not the end of the world.
Obvi on a normal phone you can just uninstall the app, turn off vpn, force kill the app, use adb to uninstall the app, create a secondary profile, reset the phone, or just install a weird proxy app that lets you access the sites without filtering. So enforcement is provided by the OwnDroid with the Device Owner privilege (not device admin). This gives OwnDroid access to the device management interfaces, and allows for disabling a lot of things. Disabling uninstalling rethink, disabling force stop/tampering with rethink, putting rethink in suspend mode (it runs in the background, but can't open the app), disabling developer options, vpn lockdown, disable user creation, disable work/private space and disable app install (though I use something else for this). So after doing this my phone stops me, rather than me having to stop me, and that is so much easier.
There are 3 other supporting apps I use, automate which is for sending start to rethink after reboot as sometimes rethink doesn't start on boot and suspend keeps me from opening the app and hitting start. I also use timelimit.io for blocking apps after install (for vetting, and disallowing tampering with automate), and setting time limits on certain apps that I need but not all the time. Then I have clipeus to clear the clipboard after needing to go in and change something.
So I made this repo to document what I've been able to do, and refine it as time goes on. As well as creating some bread crumbs for others to follow and lock down their own devices.