That is true. However, Xiaomi is one of the only major sellers that allows you to unlock your bootloader, and they even allow you to re-lock your bootloader after.
So if you want a Xiaomi and care about security, simply remove the bootloader lock and install LineageOS. Some models are officially supported by LineageOS.
That's a good point. Xiaomi deserves praise for keeping the bootloader user-friendly.
LineageOS provides timely Android security updates, but only the manufacturer can provide vendor security patches even when a custom OS is installed. If Xiaomi did this monthly, its phones would be as hacker-friendly as Google's Pixel phones.
On Android there's two kinds of security updates, vendor and platform. LineageOS will provide the monthly platform updates same as on a Pixel, but vendor updates will be the same as a the stock ROM. The basic UI only shows the oldest of the two. In any case it's going to be better than anything except a Pixel.
On LineageOS, the "Android version" screen shows the dates for both the "Android security update" and the "Vendor security patch level" right next to each other.
Xiaomi's update schedule isn't terrible, but it's disappointing that even its flagship devices only get quarterly updates, while other brands including Samsung, Oppo, OnePlus, and Realme commit to monthly or at least bi-monthly updates for their flagships.
Not everyone is willing or able to flash another OS onto their phones, and considering its success, Xiaomi can afford to do better to protect its users with more timely updates.
Compared to Samsung, Sony, iPhone or recently Oppo their flag ship phones always appeared at a reasonable price point. Also their light/$2-300 phones series usually wasn't a complete joke like with many other major names.
In the China brand lifecycle, Xiaomi was just at a different phase of the cycle than Huawei. Now they also have €1000+ phones to compete with Samsung and Apple flagships. Similar story happened with OnePlus.
Xiaomi has very premium phones, yes, but they still sell flagship killers and from all we know they will continue to do so for a while, unlike OnePlus, which only makes flagship and low specs, no flagship killers.
I would like to hope that they wouldn't, based on their origins. Xiaomi was once only a small software shop, making a skin for android devices that was easily installable and actually quite good for the time. They had a huge community, and nearly all major devices had it, and I believe almost all of them required an unlocked bootloader.
If Xiaomi went ahead and locked bootloaders on their own will (instead of gov't requiring it), they would be crushing the same thing that allowed them to become successful.
I think locking the bootloader can prevent rogue shops installing malware (I heard this was an issue in china). But if that is the reason, manufacturer could give devs and consumers method to unlock.
I did wonder then if locking bootloader could be at request of govt (cue Huawei paranoia).
Perhaps it is a feature not used often enough to justify costs of warranty service/complaints to manufacturer (kids bricking their phone).
Xiaomi does not make Android One phones anymore, and there are some preinstalled apps from Xiaomi. Also, it's full of Google Apps that are spyware but from a different company...
iirc, they stopped producing phones with Android One around a year ago. So if you want to buy a new one you will have to get one with miui. Which is, like i said, is packed with spyware.
When i bought my Redmi 4a, as a backup phone, i had to root it and flash with lineageos, because the amount of telemetry that phone was sending somewhere was straight up absurd. Same story with Mi 8.
https://www.mi.com/global/service/support/security-update-1....
The only exception is Xiaomi's Android One "A" line, which is now discontinued.