iPhones out of the box are a lot better than Androids for privacy and security. There are a few flaws. iPhones are completely proprietary so you have no idea what Apple are doing on your phone. Apple also track iPhone users although not as much as stock android. Apple were the first company to use location tracking.
Android tracks you a lot by Google Play Services. To remove the tracking then you need to flash a custom ROM that is de-googlified. LineageOS is one of the best ones. It strips all google tracking and bloatware. If you do this then you will not be able to use some apps that require Google Play Services. There is a thing called MicroG that is an open source Google Play Services alternative. It stops Google from tracking your device and rarely connects to Google servers. When it does connect to Google servers then it anonymizes the data so Google still can't track you. You can use LineageOS with MicroG by using LineageOS for MicroG.
GrapheneOS is also a great OS for android. It greatly increases the security of your device by hardening many aspects of android. It is lead by the former developer of CopperheadOS who has created many security enchancements for android and the Linux kernel. Some have been accepted upstream. He has also made many other noteworthy projects such as hardened_malloc, linux-hardened, playpen and many more.
WARNING: MicroG can greatly decrease the security of your device as it requires signature spoofing support which allows any app to request to bypass any signature verification which is used to verify the integrity of the app. LineageOS also decreases the security of your device as it disables verified boot, weakens SELinux policies, uses a userdebug build, doesn't have good update security, has added massive attack surface in the past like FFmpeg, doesn't include firmware updates and rolls back security enhancements for device compatability.
A hardened Firefox (see hardening Firefox)
Tor Browser for Android
Vanadium (GrapheneOS's browser)
Brave is a browser based on Chromium that blocks ads and trackers by default. It is useful if you do not want to spend a lot of time hardening your browser and do not want to use the Tor Browser. Brave doesn't have fingerprinting protection enabled by default. Enable it in the privacy settings.
Firefox focus is a fork of Firefox that is simple and blocks ads and trackers by default. Firefox focus doesn't block all trackers by default. Enable it in the settings.
Orfox is not made by the Tor Project. It is made by the Guardian Project. The Tor Browser for Android is made by the Tor Project and I find it to be a lot faster than Orfox. You need to install Orbot to use Orfox. The Tor Browser for Android is now in stable and Orfox is deprecated.
If you decide to use Tor Browser for Android then do not change any settings except the security settings. Do not install any extra extensions and if you want to be as anonymous as possible then set the security settings to safest.
Rooting your android will greatly decrease the security of your device by allowing any application to easily gain control over your entire device. Most rooting methods can be exploited via a simple clickjacker. If you do it wrong then you can brick your device. Rooting is needed if you want to improve the privacy of your device by removing GAPPs, blocking network access with a firewall etc.
SuperSU is proprietary and owned by a Chinese company. The Chinese government can do whatever they want with it including making it contain malware.
These programs are proprietary and could possibly be malware. Some people have claimed they have given them malware.
Google Play Store
F-Droid only allows open source apps and they cannot have trackers without notifying you first. If an app uses non-free network services or anything else you might not want they will tell you with AntiFeatures. They also verify the builds so they will most likely not contain malware. You can read more here.
Yalp lets you download apps from Google Play Store without being tracked by Google. It allows you to sign in with a Yalp Store account so you do not have to use your own. Aurora Store is a fork of Yalp which looks nicer. Aurora Store often crashes and right now I can't even open the app on my phone. You can get both of these on F-Droid.
These are the apps you should install on your device.
Orbot allows apps to use Tor. You can get this on F-Droid by adding the Guardian Project's repository.
Firewalls block apps from connecting to the internet. Most need root. If you have root then you should use AFWall+ or direct iptables. If you do not have root then you should use NetGuard. Netguard uses a local VPN so you cannot use a VPN along side it. AFWall+ and Netguard can be found on F-Droid. Direct iptables is already included in Android and is what all root firewalls use.