Firewalls block access to the internet but they are not 100% effective, some spyware apps will get through.
Here is what seems to work for me:
First of all, I disable ipv6 and only use ipv4 in android mobile data in access point names in settings. If the android installation does not allow doing so in thw current profile i just create and select a new profile with everything the same except for ipv4/ipv6 or ipv6 being changed to ipv4. The reason for this is because not all anti spyware apps work well with the ipv6 protocol. There are articles on how to find access point names In settings online and creating a new profile is as simple as copying the data in the current profile.
In addition to afwall+ or another firewall (whichever works better on the device I am using although I have a preference for afwall+) I install classyshark 3xodus, adaway, blokada, autostarts, shelter and net monitor.
In autostarts I disable start at boot and start after boot for apps that do not require it in order to function. Of course, I leave vital system apps unchanged.
In the firewall I block any apps that do not require internet access to function. There are two groups of system apps listed together. The group with settings as one of the apps is required for internet access so I leave that unchecked. I block the group with phone services in it without issues.
Blokada is a dns proxy that can also block things listed in predefined hosts files. In this program I set the dns server of choice to one of my preference (I do not know which one is the most private but any of them would be better for privacy than google's dns server or the ISP's dns server).
For auditing and blocking apps that bypass the firewall I install adaway and net monitor. This will sound a bit complicated but is simple enough once you tried it out and once set up you can audit an app for access to spyware servers in just 2 to 3 minutes. Adaway is generally an ad blocker but these two apps have a logging feature. In adaway you have to first enable ad blocking and then tap on the menu icon at the top left, then log dns requests, tap enable logging and then tap show results. In net monitor you have to tap the menu icon at the top left, then history, then the icon at the bottom right and then select which apps you want logged. After that tap the menu icon and then Main, then tap the icon at the lower right to start monitoring. Note: the logging in adaway and.the monitoring in net monitor do.not.start automatically, you will have to start them any time you want network connections logged. After doing that, start the app you suspect to be spyware and after a few minutes check net monitor to see if the app has accessed the internet and what ip addresses were accessed. Do not have a web browser running while logging ibternet connections, it will access and prefetch various web sites and it would be come hard to determine what is the browser and what is not. if anything shows up in the history in net monitor that is an actual ip address for any app in net monitor then you check adaway's logging to see if any dns queries occurred. To do this tap on show results under.logging (if you have not done so) and swipe down from the top to show the latest dns queries. You can use a web browser.and type "what is (enter web address listed in adaway here)" to do a web search and identify the web address to determine whether or not it is spyware or if the app is supposed to be blocked by the firewall block all of the dns queries from the app (if you are certain they came.from.thia app and are web addresses used by spyware) by tapping the block icon (circle with a line through it) beside the dns query. After that tap Apply at the bottom right corner and give adaway time to build the hosts file. When it is done, reboot your device so the changes can take effect. You may have to repeat checking an app several times because it may be programmed to access a different server if the current server is blocked. after that you can try having logging enabled every time you use the app for awhile to make sure it is completely blocked.
For spyware apps you can not find alternatives for you can try installing Shelter and using it to clone apps to a work profile and uninstall or disable them outside the work profile. A work profile reduces data access by apps to the apps and files outside of the work profile and thia can work if the spyware app needs internet access to be useful or if you want to play games but keep the spyware games from accessing your data.
Classyshark 3xodus examines apps individually for known trackers and reports them, you can use this app to see which apps send data to third party telemetry servers. Warning: you can not unsee it, results can be disturbing. Just select the app, then give classyshark 3xodus a minute to scan the app and display results.
Of course, having an app that prevents selected apps from running in the background is also helpful, I suggest it. I just do not know which app is the best one to use.
Privacy is not an installation, it is a process with a learning curve. What I posted are suggestions and these days it takes some work to not always be under a corporate microscope. However, once this is achieved without losing anything you need it can feel quite liberating.