It all depends on how paranoid you feel. If the device has a hardcoded IP addresses changing the DNS won’t do anything. The only way to block that is by using a firewall external to your device and blocking it that way. You can get malware/backdoors in all the places you mention, and even built in to usb cables as well.

In the end the question becomes who can you actually trust, and how sensitive is your data. At some point you have to trust someone and potentially give any some form of data/information, otherwise you are just living in a bubble with no access to anything.

Personally I don’t believe anyone is interested in my data/info for anything other than selling adverts towards me, and potentially trying to steal money via scams, fraud etc.

I run a pixel 6a, some people will tell me that Google has all my data, and they are right, however I know what they have and can be pretty certain that I’m not going to have random crap and potential malware on the CPU or chip on the board, and it also receives regular updates.

Any app you run the phone (unless root enabled) will have to run on top of whatever rom you have installed, and is ultimately controlled by the Rom. It probably isn’t but again depends on level paranoia and trust you have. The paranoid route would be to build your own version of android from source on something like a fairphone.