You don't need antivirus on android, that's something for windows only. It seriously counterproductive and will only bloat your system and bog it down.
If you have root, you can configure iptables just like on any normal machine.
If you want open source quality, even though there are only about 750 apps on F-Droid, they are mostly good, and fully open source, so a hell of a lot more secure than proprietary apps on the Playstore. Most important apps are there.
The problem with Android is that it's fully infiltrated by Google Spyware. You can't even get to the playstore without google account. If you want to keep all the functional benefits of gapps, what you can do is make bogus accounts every month or so and run your android with that bogus google account, and keep your real mail accounts safe by using an alternative mail client like K9mail. But you don't really need gapps, there is little benefit in them. There are better open source alternatives (cheaper, and if you're in the EU, better support for navigation through open source maps, google navigation only really works well in north-america) for both navigation and maps. You can use firefox browser with a cookie self-destruct plugin, and an ad blocker, and only use https links, and set duckduckgo as default search engine. You can run your own cloud instead of using google drive, etc... and in that case, you can either flash a gapps uninstaller script, or flash cyanogenmod for instance without flashing gapps. That will give you a HUGE performance boost of your phone, because gapps and the google spyware running in the background, are what make any phone slow and laggy.
It all depends on how far you want to go. Security is often not perceived very correctly. There hardly are any people that want to protect their data from governmental organizations, because to be honest, you can't, they will always spy upon everyone, that's what they do. But the main security leak in Android comes from Google, like the main security leak in Windows comes from Microsoft. If you stick to open source code, that's pretty much not an issue anymore.
You could also use AGP to encrypt you mails and file, you could encrypt your entire device so that it's not usable when it's stolen or lost, etc... as I said, go as far as you want to go.
You don't need Google services at all, not even Google search. It's completely possible to use Google search through https and without Google profiling you and building a bubble around you and making your access to information selective. For instance, if you want to do a safe google search, use duckduckgo as search engine in firefox, and enter "!g" after your search term, and it will give you the google search results, or "!yt" for youtube results, or "!gi" for google images results, etc... but it will not send any info about your search or your identity to Google. That works on all platforms.