This will be updated if my setup changed. Also, a disclaimer: I am not a infosec professional. I believe this will be useful, but you should do your own homework.
I write this up as a reference for myself, but perhaps you will find this helpful. Of course, using security features and apps does not in any way guarantee that you will be safe from hackers or thieves. Some people are resourceful and smart, or (in case of state actors) just plainly powerful. But surely we should not make their life easy.
Phone lock: Locking the phone when unattended prevent other people rummaging through your phone. I use fingerprint and password (as a backup) to unlock the phone.
Phone is fully encrypted (using Android standard feature). This way, if the phone is stolen or lost, nobody else should able to read the data without knowing the password. Using Android Device Manager, I can remotely wiped the phone to make sure.
I use 2FA on my Google Account.
Apps
Sophos Intercept X for Mobile for anti-malware/antivirus protection. Also block malicious webpages, and can protect apps from unauthorised access by requiring fingerprint authentication.
Bitwarden Password Manager for password management. The Password Manager saves and generates unique passwords for every website and account I use. I also use this with Firefox and Chrome browsers on the desktop, thus synchronising passwords from other devices.
Authy, for 2-Factor authentication. If an online service supports 2FA I usually use it. Handy to prevent account hijacking.
I used to install ProtonMail for encrypted email, but nowadays I only used it on my laptop.
I use WhatsApp for instant messaging. WhatsApp is encrypted end-to-end. I also used to install Signal, but rarely use it. My favourite is Telegram, which also has end-to-end encryption, but unfortunately not as default.