If you buy a phone from a carrier, say T-Mobile (what I have), you typically will have a non-rooted device that ships with their own custom ROM, along with some of their apps. So OS updates are pushed by / from the carrier.
You end up with a situation where, if you have any beefs with the device's behavior, T-Mobile shruggs their shoulders and says, "You'll have to call Samsung.". If you call Samsung, they say,....yeah - you guessed it.
As some of you already know, you can firewall a non-root droid by first creating a VPN on it, then you have control of the traffic. This *only* works on wifi, forget 4G. It also doesn't work with any UDP based transport layer. I have a no-root firewall and I like it a lot but - since it requires using up the one VPN you can run (at a time), you can't run another VPN client (like PIA).
Also - if you *do* run your (insert "privacy" oriented VPN client) on your droid, you are commiting "privacy suicide".
Think about it - now all your apps are not firewalled. Pretty much all of them are phoning home, using the IDs / keys / that are already unique to YOU, and now you've associated yourself with an IP address of some VPN.