Ok thanks everyone! If I summarize:
As far as security goes, using uBO hardmode along with good practices (delete cookies on exit, etc.) should be enough. The user should know in advance which 3rd party to unblock by researching it. I personally ask AI to know which script does what prior to unblocking it.
If there is a zero-day exploit, you might be screwed either way as we don’t know the zero days and what they do.
As for fingerprinting, only Mullvad (once there will be enough users) + VPN or Tor help. But this is for desktop. On Android, there is pretty much no solution as far as I know.