Regarding security: as always, it depends on your threat model. If you fear a government actor getting access to your phone, a locked bootloader won’t slow them down.
Regarding privacy: I’ve had both VPN logs and external Wireshark running against traffic going in&out of my custom ROM phones & sometimes I still do it for fun. If you know what you’re getting into (e.g. LoS still using some Google services) then a Custom ROM usually holds far fewer surprises than some questionable OEM ROM (and which is terrifyingly scarce regarding changelogs while still having OTA update power).
tl;dr: stick with well-known ROMs & you get … not the best of both worlds … but a “good enough” of both worlds.
Long-term custom ROM user here.
Regarding security: as always, it depends on your threat model. If you fear a government actor getting access to your phone, a locked bootloader won’t slow them down.
Regarding privacy: I’ve had both VPN logs and external Wireshark running against traffic going in&out of my custom ROM phones & sometimes I still do it for fun. If you know what you’re getting into (e.g. LoS still using some Google services) then a Custom ROM usually holds far fewer surprises than some questionable OEM ROM (and which is terrifyingly scarce regarding changelogs while still having OTA update power).
tl;dr: stick with well-known ROMs & you get … not the best of both worlds … but a “good enough” of both worlds.