This is the BEST write up I have ever seen on the topic. Had no idea it was out there and explained a lot about the inner workings for security I wasn’t expecting.
https://www.reddit.com/r/LineageOS/comments/n7yo7u/a_discussion_about_bootloader_lockingunlocking/
It was in response to the Naomi Brockwell post she did on Twitter about businesses using WiFi, Bluetooth and Location Services to track you in public locations. You can Google it directly “NBTV Advice from Defcon” or this link: https://nbtv.substack.com/p/advice-from-defcon-turn-off-bluetooth
I actually came here to echo this exact sentiment. I was on Lastpass until their first breach and then on Bitwarden both cloud and self-hosted until a few months ago when I set up with Proton. I liked Bitwarden so I put off trying ProtonPass. One weekend I set it up and ended up putting my 2FA items in as well. It feels absolutely seamless to use. The email aliasing for websites is so easy for making new website accounts. In my desktop and laptop browser the way it automatically offers to autofill the 2FA is so clean. I can’t see myself going back unless Proton gets prohibitively more expensive or the product declines in usability/security. If you are currently using Proton’s suite of apps give Protonpass a try. You can easily import from Last pass/Bitwarden and use both to compare side by side.
You noted on the phone hardware but not the software so I’ll comment on that. Recently OnePlus has announced as of Android 16 that they will restrict bootloader unlocking to only those who fill out an application.
Nothing Phone 3 and all prior Nothing phone bootloader are still unlockable to this day with no call to restrict it. I would know, I have a Nothing Phone 3 running Shizuku and am waiting for Google to move Play Integrity off of its Kanban board so I can root again. Their forums have a strong development presence and as far as I’m concerned this is the one of the last good holdouts on this new restriction standard.
Pixel was the de facto standard for unlocked bootloaders. However, Google is the core of the “registered developers only” movement for their phones, killing sideloading and removing Pixel images from the development models in AOSP. I no longer support new Pixels (certain used ones are still good, don’t get the 6 series though they are BAD).