Even with the most secure alternative Android, you always have blobs from the original manufacturer that you have to use for some hardware-related critical functionality. And of course, the baseband that usually has full access to device's memory using DMA.
That's where the backdoors go, I'd suspect.
In this regard I'd trust Xiaomi way less than Google.
However, Google phones have been subpar for a long time. E.g. the storage was too small and non-extendable. Makes sense from a Google point of view, as you're supposed to store everything into their cloud. But not well suitable for offline-first and privacy-first.
However, Google phones have been subpar for a long time. E.g. the storage was too small and non-extendable. Makes sense from a Google point of view, as you're supposed to store everything into their cloud. But not well suitable for offline-first and privacy-first.