Set your system-wide DNS to a provider in a country with better privacy laws. I use quad9. Disable DNS over HTTPS (DoH) in Firefox if you have it enabled, as it sends DNS queries to cloudflare, which may be even worse than sending your DNS queries to your default ISP servers (also disable DNS prefetch). If you’re hosting a DNS server, you can also set up a DNS blocklist if you use something like unbound or unwind.
I would get away from proton, they’re too popular and too much of a target, and most critically they fucked over a climate protestor, and then removed “we do not keep any IP logs” from their privacy policy. If they’re willing to lie about that, what else are they willing to lie about? If you want a fun project, set up your own mail server. Easy (relatively speaking) to do on OpenBSD with a cheap VPS provider like buyvm. Password manager is easy enough to write yourself with an openssl script, or you can use some other open source password manager if you hate scripting. Storage should be cheaper on a VPS than whatever proton is providing, and you can even host your own VPN (though this has potential to be easily routed back to you unless you serve multiple users with your VPN).
Disable javascript everywhere you don’t need it. I use qutebrowser, and javascript is disabled by default, and I only reluctantly enable it per-domain when I absolutely have to.
Use 3rd party open source clients for propietary apps, or move to open source ecosystems (like lemmy!).
I would get off of Android all together, and switch to a real Linux phone, if you can tolerate the jank. I don’t trust Google not to put a backdoor in the Android kernel (which forked all the way back at Linux 2.something). You could also try switching to a dumb phone, but those still run some amount of spooky blackbox software and I wouldn’t totally trust it from any major phone manufacturer.