This is where I think the new line of Linux phones need to put in a lot of work. Properly sandboxing applications and defending against corporate snoopers should be a top priority of any open source phone OS.
I mean you need an undetectable virtual machine for a phone really. That's the reality: I'm content with my phone running some type of hard to crack secure element so companies can convince themselves it's secure, but what I want is that thing isolated and it's network and cellular access gated.