That is a vast oversimplifications. Custom Android builds either rely on reverse engineered drivers, or vendor kernels, or mostly undocumented drivers and custom kernel patches.

Custom "ROMs" are often very insecure, as they use the outdated stock vendor kernel of the original OS, as it is so customized. Not always, but often.

Then you have firmware, which is responsible for a ton of tasks on Android phones, way more importantly than on a PC. There is an entire separate, proprietary chip in there, connecting to sensible and insecure networks like 2G and 3G (the modem/baseband).

I found this article to explain the situation well

[–] BurnedDonutHole@ani.social 1 points 2 hours ago

And yours is a vast exaggeration. You do realize all of these phones are using either Qualcomm or Mediatek chips and designs which already have those tracking firmwares right?

All of these companies are using these firmwares. As for the Custom ROMs it depends on the device and the custom ROM you're using. So, calling them entirely working on reverse engineered is a bit much. That's why these so called free phones need hardware kill switches. Even that article you linked states this. So, unless these guys come up with 100% pure homemade hardware and Linux based OS they will never be free from tracking. Even then they won't be free from tracking. Hence my point: You can get the same level of de-google and untraceable stuff with using a proper Custom ROM suitable for your device.