The opensource apps like Newpipe, SmartTube, termux and many others are the “malware”, not the ones with binary blobs on PlayStore that fork VLC, Newpipe and many opensource apps illegally, supposedly “verified” but don’t follow opensource license like GPL, creating fake clones with ads and (real) malware.

https://itwire.com/business-it-news/open-source/81652-google-ignores-licence-violating-clones-of-vlc.html

Right, only install “verified” from Google Play, but that is where malware is, other 3rd party app stores like F-Droid, that really verify apps are at risk of getting killed by Google

Yes, im very interested watching digital characters having sex

They do this for years, i’ve several games for free from GOG, what’s different?

Some of the games didn’t even installed, “it’s free cool, let me grabbed”

Is it?

Android uses Apache License 2.0, which means vendors can modify and distribute without publishing their modifications, like include proprietary blobs and other proprietary code.

It’s like using Google Chrome instead of Chromium.

Yes you can debloat the system, but many system apps can’t be disabled without breaking the system, and ROMs based on AOSP the code can be reviewed or modified and built it yourself.

Xiaomi and mostly stock ROMs these days come bundled with ads, and apps that collect user data, even with debloat or DNS blackhole isn’t 100% private or better than a custom ROM.
That’s why Graphene and CalyxOS exist.