Any Android device can increase its security by following a few simple guidelines. The following settings for hardening Android phones are partly based on the official checklist for the U.S. Department of Defense and a few of my own recommendations. Making one guide for all the different Android ROMs and user interfaces is difficult, so I'm mostly covering the basic settings. I'm currently not an active Android user but I wanted to make a counterpart to my Hardened iPhone video, so for recording I'm using my old Nexus 5 running LineageOS on Android 11. This should be close enough to stock Android to follow along.
BASIC SECURITY:
To receive important security updates and new features, you should upgrade your device to the latest available Android version. This isn̢۪t always as easy as it sounds because especially cheap Android phones are quickly abandoned by manufacturers and are then stuck with outdated software. The Pixel phones made by Google themselves are usually supported the longest and are also very popular among open-source Android developers. Alternative operating systems like GrapheneOS or LineageOS based on recent Android versions almost always support Pixel devices but can also bring older, abandoned phones like my Nexus 5 back to today's security standards. Dedicated secure operating systems like GrapheneOS provide a lot of very technical privacy and security features behind the scenes which seems to be more targeted at advanced users. The other option for abandoned phone owners would of course be to just buy a new device every couple of years. Just like jailbreaking on iOS, rooting an Android phone gives full access to a device but generally decreases security and should be avoided. It is another potential risk that has to be managed by the user and that could be abused by malware. It is usually not required even for installing alternative operating systems and even if it is required temporarily, it can be reversed afterwards as a precaution. Rooting isn't necessary to sideload apps although sideloading was made a little more complicated in recent Android versions. Installing apps from unknown sources is not recommended and one of the main ways malware can get on a phone. That's probably why it no longer is a prominent global switch like in earlier Android versions but is now both a per-app decision and an option nested in the app settings. Here you can now select apps that are allowed to install apps from third-party sources. A popular source for example might be the open-source app store F-Droid but in general, the official Google Play Store should be the most trustworthy source for apps. Another important measure to protect the data stored on the device is enabling encryption. This prevents anyone who finds or steals the phone from booting it without the passcode. Encryption is more secure than a simple lock screen code and it is often enabled by default in recent Android versions. If you're using Google's services anyway, you could just use the Find My Device app and Android Device Manager to locate and erase a lost phone remotely. There are also many other similar services from other Android manufacturers and even third-party apps. I remember using the app Cerberus which is apparently no longer available on the Play Store, that could locate and control a device through incoming text messages. If you have enabled developer options at an earlier point, it is important to check if USB debugging is disabled. This essentially allows to control the device while it's connected through USB which is especially dangerous at public USB charging stations which should be avoided anyway. Before repairs or other times the device is out of your control, it should be erased. This of course also means, anything important should be backed up beforehand which is one thing I always struggled with when using Android. Either every manufacturer had their own backup solution and I could never be sure if it included everything or, in the case of Google, backing up means uploading everything to their servers. I eventually settled on creating device images using the TWRP recovery which isn't ideal for everyone either. Anyway, erasing all data is possible in the system settings under Reset options.
AUTHENTICATION SECURITY:
Set a PIN or even better, an alphanumeric password, to lock the device. A simple but long passphrase with 10 characters or more is much more secure than a short PIN or an unlock pattern. You can also use biometric features like fingerprint readers or face unlock for easier use. Android also has 'Smart Lock', which is essentially a second factor that's needed to unlock, for example a trusted Bluetooth device nearby. This is also a good time to check if an auto-lock timeout is set, otherwise a password could be pretty easy to bypass. Another password privacy setting you might want to consider is hiding the displayed characters as you type. Whether this is reasonable depends on if someone is actually watching you type.
BROWSER SEQURITY:
Web browser security and the corresponding settings obviously depend on the browser you're using and Android has many. One of the most popular is probably the mobile version of Google Chrome, my LineageOS version has a very basic default browser where the only noteworthy option might be Do Not Track although this feature has been pretty much discontinued. For additional security in Chrome, you can disable Save passwords and disable auto-fill for payment methods and addresses. In the Site settings are also options to block third-party cookies which are usually used for web tracking and a very basic ad blocker. In the unlikely case you are looking for security over usability, you might want to consider disabling Javascript as well.
NETWORK SECURITY:
In the Wifi preferences, disable network notification. This can prevent inadvertently joining a malicious network with a familiar name. Similarly, forgetting known networks if they are no longer needed can help prevent this as well. Also turn off Bluetooth and any other wireless signals when not in use. The same can be said for location services which in part use wireless signals to scan nearby networks.