I’ve been using Calyx for about a year and I feel like it does the job well. Here are some things I’ve done to harden my Calyx phone:

VPN: Turn on “Always on VPN”, " Block Connections without VPN", and “Global VPN” in Settings>Network>Your VPN. I use Mullvad VPN as I think they have a great reputation and also is easy on battery. Furthermore, you can pay with cash voucher or crypto. You can also use the built in Calyx VPN but it is a bit slower. If you use Mullvad you can also turn on custom DNS, quantum resistance, and multihop if you wanna go a bit further.

Apps: Only use trusted apps and avoid “big tech” apps like instagram and anything google. Anything from FDroid is vetted through a strict FOSS policy and is generally safe to use. Look for alternatives to playstore apps and try to replace as many as you can.

Settings: App access: In settings>Apps>Permissions, only allow what apps need. For example, your photos app doesnt need location data, so keep location off. Go through each app and remove as many permissions as you see fit. Also make sure any apps with systemwide access are trustworthy. Camera and Mic: Calyx offers camera and mic off switches via the main pulldown menu. Make sure they are always off and only enable them when necessary. DNS: use a private dns host, such as base.dns.mullvad.net (found in network settings) Auto-Reboot: turn on auto reboot in settings so that if your phone is ever brute forced physically, it will make it much harder to crack USB: turn off USB access to your phone unless needed under “More privacy settings”

SIM/Contacts/Phone Generally apps have access to your contacts and phone calls. If you get a sim and phone number through JMP, all of your calls, texts and contacts will be sent through your vpn/internet rather than a cellular network (although they only service Canada and the US). This wont protect you from whoever you call/send to, but it will secure you on your end. Also note that any sim has the ability to triangulate location via cell towers. Jmp doesnt protect from this, but does have a degree of separation from the actual telecom provider. You could also use a faraday bag while you’re out as an alternative. (Edit: just saw you are stuck with a sim. You can actually get JMP as a second sim with a second number. Use your main sim for data and your JMP sim for call/text. You would still be able to be triangulated, but your provider would at least be barred from monitoring the XMPP communications.)

Firewall: Use the built in firewall to always block new network requests. Only allow vpn access with exceptions you see as needed. Also do so for the system apps, but only block what you know about. You can research what each system app does, but there are a lot.

Work profile: Use the work profile to isolate higher-risk apps apart from your main apps. For example, I have a copy of the fennec browser in my work profile to access instagram, so that not only is it isolated by browser, but also it’s completely separate from all of my other apps.

Browser: use Iceraven, Fennec, Tor, or Firefox to browse. Be aware that Firefox sends diagnostic data, but the other ones are much more hardened. All of them also have a feature to add webpages as apps if you don’t want an actual app (e.g. instagram).

Messaging: Use Signal, SimpleX, Jabber/XMPP, or Matrix for communication. Only compromise for friends and family, and if possible try to get them on board too, although that is harder than it sounds.

Physical protection: Use a long login password and the Sentry app from fdroid to purge your phone if password is entered wrong too many times. Set up a bare bones dummy user profile in case someone forces you to login to your phone (e.g. a criminal or a nosy relative).

Location: Keep your location off or disabled entirely. Try to navigate maps the old fashioned way. It’s hard at first, but gets easier with practice. You can use an offline map like Organic Maps. I used it with no internet to cross the USA from New York to California and it went smoothly if you have a good sense of navigation.

I hope some of this helps!