Most of the tracking/backdoors is at the application level. Stock bloatware is a risk, less so the manufacturer’s firmware. Even non-bloatware can be a risk, for example many core Xiaomi apps (eg Phone and Messages) have ads and the apps connect to Chinese servers to deliver these. How significant these risks are is subjective and down to your own personal opinion.
You should definitely try and remove bloatware that comes pre-installed. For one, you’ll probably find a Facebook system app that the manufacturer bundled, this is separate to the actual apps you use their services with so why the hell would you want it? After that, you could try a custom ROM, particularly one based on pure Android AOSP, however leaving the manufacturer’s firmware can mean you miss out on some functionality (cameras are notoriously more functional when you use the manufacturer’s app).
Even with all that, there’s still the possibility of hardware vulnerabilities. However, it would be difficult to exploit these without physical possession of the device.
Most of the tracking/backdoors is at the application level. Stock bloatware is a risk, less so the manufacturer’s firmware. Even non-bloatware can be a risk, for example many core Xiaomi apps (eg Phone and Messages) have ads and the apps connect to Chinese servers to deliver these. How significant these risks are is subjective and down to your own personal opinion.
You should definitely try and remove bloatware that comes pre-installed. For one, you’ll probably find a Facebook system app that the manufacturer bundled, this is separate to the actual apps you use their services with so why the hell would you want it? After that, you could try a custom ROM, particularly one based on pure Android AOSP, however leaving the manufacturer’s firmware can mean you miss out on some functionality (cameras are notoriously more functional when you use the manufacturer’s app).
Even with all that, there’s still the possibility of hardware vulnerabilities. However, it would be difficult to exploit these without physical possession of the device.