Mastodon is a huge part of the Fediverse. It allows you to control who can follow you (you can set it to prompt you to approve each new follower). You can make your posts visible to your followers only. Each post you make has a visibility option, and you can set it to followers-only by default.

To answer your question, yes, you’re being paranoid and irrational.

That CVE is in the Linux kernel, which CalyxOS should be fixing for you, via their security updates.

I think you’ll be fine as long as CalyxOS is supplying your device with Android security updates. As an average user, with no reason to be the subject of targeted attacks, firmware vulnerabilities are not a huge concern (assuming your OS and other software are up to date with security patches).

Of course, if someone hostile gets physical access to your device, firmware becomes more important. Remote exploitation of a firmware vulnerability typically requires first exploiting a software vulnerability (and CalyxOS is updating your OS software). With physical access, one might skip that step by connecting a cable to your phone and interacting with it directly.

Butt Truckers

Yes, SELinux is enabled (in “enforcing” mode) by default in Fedora. In my experience, it doesn’t hamper usability.

I remember seeing old advice from blogs and listicles about turning it off, on the theory that it might get in the way. But it’s better to leave it on if you care about security – especially if you want to learn.

When SELinux blocks a piece of software from doing something sketchy, an alert is generated to explain what happened and why. That’s rare but it’s a learning opportunity for you, not to mention preventing a potential security threat.