When you run an android phone with an unlocked bootloader one of your main security concerns has to be physical device security.
Even while your data is encrypted, on Android your OS is not and therefore someone with physical access to your device can trivially inject malware that runs with system permissions.
Same is true for the kernel of your notebook and desktop computer when it doesn't run "secureboot" or a comparable security measure.
Unfortunately, on some phones you can lock bootloader after flashing a custom ROM (Google) while on some you can't (OnePlus)
OnePlus? I recently switched to OnePlus 6T (fajita) with LineageOS but when I tried to lock the bootloader I ended up with soft-bricked device. On the other hand this worked with Pixel 3a.