Somewhat tangential, but is there a guide to a complete and full list of steps needed to make a lineage-flashed phone physically secure? As in - stopping access to data if someone has unlimited physical access and <$1MM in equipment / funding.
E.g. do I need to put a lock on recovery? Disable ADB? Disable root? Disable developer mode? Enable encryption? etc.
The biggest problem is that in general you need to unlock the bootloader to install custom firmware. On some phones it might be possible to relock the bootloader after you flash the firmware, but I think most phones won't let you do this with a custom firmware.
Once the bootloader is unlocked, anyone with physical access to the phone can reboot the phone into custom software and run arbitrary code, read data etc.
I guess you can still use encryption in case your phone is stolen, but anyone who temporarily gets access to your phone could backdoor it.
Enable encryption. ...I think that's all you need to protect against a stolen device being compromised. It doesn't protect you against evil maid attacks. Basically the same situation as on a laptop that doesn't have secure boot.
Unlimited physical access is a "game over" scenario for phones. Consider supply chain attacks - just pwn the device before the user gets it. You might swap in a digitizer that logs all input (also works later). Etc.
E.g. do I need to put a lock on recovery? Disable ADB? Disable root? Disable developer mode? Enable encryption? etc.