I considered something like this at one point, but I ended up installing OpenWRT on my existing router instead because what I ultimately wanted was more flexibility, and was concerned about a single point of failure. Now, I have the ability to do things like always run certain devices through a VPN, block specific devices from the internet with a firewall, as well as DNS for self-hosted stuff.
What I don’t like about ATV and the Apple ecosystem in general is the lack of ease with sideloading. Ha, I’ve created throwaway accounts with fake emails in the past and then lost access to the email account followed by the Apple device basically being bricked a result. If it’s so “private” then why not let me install free apps from the App Store without an account?
I’ve also been meaning to do some debloating on my Shield as shown here, but probably worth disabling some of these first and testing a while instead of uninstalling just to make sure nothing important breaks.
The Onn debloating recommendations above only uninstalls bloatware and not system components, so it’s less concerning.
The Shield can supposedly be updated with LineageOS instead of stock, but I haven’t tried it. I also have a couple Onn 4K streamers that I debloated and swapped in FLauncher, and it’s on my TODO list to do the same with the Shield. My concern with stock OSes is of course any telemetry I’m not aware of or can’t disable. I usually setup Netguard, although I still get ads on my Shield, so its effectiveness is fairly limited.
Edit:
I found this Reddit post helpful for the Onn 4K devices:
As many others have said, not allowing inbound WAN connections into my LAN is an important step. I also run k3s on my server with Calico as the CNI and make heavy use of network policies to keep anything I’m running from misbehaving. That, along with easy ingress makes k3s worth it for me over Docker Compose. I use OpenWRT on my router and force certain devices to run through a VPN and block other devices from the internet entirely.