> If you assume this to be correct, then there's no point in attempting to make your phone private. Privacy isn't possible without security.

You have it the other way around, security starts with privacy at its absolute minimum. If data is sent to a third party every time you tap something on the phone, you are using an insecure phone, regardless of what complex hardware they are using.

> But using a custom ROM doesn't necessarily mean you have to permanently unlock your bootloader, so that argument doesn't make sense.

True, depends on the phone though, some of them cannot be locked again and there's no way to completely fix those phones with a better ROM.

I disagree. You can‘t keep data away from others when it isn‘t safe. Security doesn‘t necessarily imply privacy (as demonstrated by your argument), but making something private is impossible without making it secure. How can you hide something in your house when it doesn’t have a lock and anyone can just walk in? Likewise, how is your phone private if, say anyone can unlock it?

> True, depends on the phone though, some of them cannot be locked again and there's no way to completely fix those phones with a better ROM.

Then you shouldn‘t use those phones for a secure setup. I think we can agree on that. But the author of the article used a phone that is capable of locking the bootloader with alternate ROMs.

> How can you hide something in your house when it doesn’t have a lock and anyone can just walk in? Likewise, how is your phone private if, say anyone can unlock it?

Security requires privacy. A phone without privacy is insecure by design, insecure because it leaks data.

And the biggest danger to consumers nowadays isn't a bootrom exploit but that their location, card payments and data profile is sent to advertisers.