You can build AOSP yourself, directly from source.android.com (pretty easily). If you do so, you checkout the source from GIT and built a system where you could at least have checked the source (most likely its clean as houndrets of people are working on the source code and constantly check it. But there is no guarantee)
You then have an 100% FLOSS AOSP (to make it run you need additional drivers, but thats no real issue as you use an FLOSS Kernel you know to run the drivers and so you have control over them. Non of the binary blobs bypasses the Kernel).
The Next step would be to use F-Droid as App Store and even when you use Aurora to install PlayStore Apps, the Aurora Store shows you Trackers and those Apps run on an FLOSS System you built yourself.
You still can’t be 100% sure but as you lack the GSF on a self built AOSP, the chance of getting Data sent to Google is extremely small.
So in my personal opinion (i am sure someone sees that different), if you say that you need the most protection of your privat data that you can get, you have to build AOSP yourself from source. Then you only have to care about that your apps won’t go apeshit and if your carefully select your apps and/or use FLOSS Apps mostly, that risk is tiny.