It’s really nice to have ad and tracker domains blocked systemwide though I think you need to be more careful and set your device up as supervised to have more robust blocking (real always-on VPN functionality vs. best effort?).
And even then when I read about defects in Apple software that means a firewall like Little Snitch isn’t perfect (macOS) I think an external device (mobile VPN router?) is going to be essential for some threat models.
I can see how system-wide blocking would be useful. I’m personally very conservative and wary about apps that I install on my iPhone (I don’t use any ad-supported apps) so the browser is the “attack surface” that I’m most concerned about.
I already use uBlock Origin and iCloud Private Relay (as advised in your original post). I also use Private Browser tabs and regularly remove all “Website Data” from Safari (minor inconvenience in that I have to re-login to sites that I have an account on).
I’ve just installed AdGuard on my iPhone to try it out but see that the DNS protection requires a Premium subscription (it now occurs to me that I could possibly install Wireguard to connect to my VPS where I’m already running my own DNS server). I’ve also `never looked into supervised mode; I always assumed it wasn’t relevant for personal devices.
And even then when I read about defects in Apple software that means a firewall like Little Snitch isn’t perfect (macOS) I think an external device (mobile VPN router?) is going to be essential for some threat models.
(& uMatrix looks great!)