I would recommend everyone who wants a clean Android to look into Google Pixel phones. Aside from being mostly bloat-free (and most bloat can be uninstalled), it is one of the few phones that supports unlocking/relocking and a secure open source alternative (GrapheneOS).
Does grapheneos prevent this? In what way? I know apps like ShareViaHTTP [1] are able to open ports (listening not just on the loopback address). If I installed a meta app, could it still run its listener that scripts on webpages could talk to?
I didn't say that. Only that GrapheneOS does not come with any adware/malware preinstalled. That said, their default browser did block one of the attack vectors:
