Thanks. 

Wouldn't a second travel phone be expensive unless its a Galaxy A or refurbished Galaxy J7 Prime?and arianwen,can you add protections to protections of the backup?im heavily privacy focused at most with recent phones this day and age

I'll explain in a little more detail.

Normal backups: your phone encrypts your backup data with a key samsung has, samsung then stores the key.

This is easy and always allows you to recover your data, since samsung has the key. You can't lose the key. Downsides are samsung if they wanted, can access your backup data, they wouldn't, but they could. If someone hacks samsung, they could take the key to the data. If some legal proceeding forces samsung to give up your backup data, they can unlock it.

Backup with enhanced data protection enabled: your phone generates a key, encrypts the backup data with that key then sends the backup to samsung. Samsung has no way to tell what the data is or decrypt the data, only you can.

This means only you can access the data, no matter what samsung or any legal thing does, the backup data on samsung servers cannot be read unless by you. The downside is if you lose the key your phone generated, the data is lost forever.

Now backup is explained, onto the physical phone stuff.

Since every country technically has a way to legally unlock your phone, a second phone is the only true way to keep privacy. It's a kinda extreme measure though since it costs due to needing a second phone.

Also if you're thinking of using samsung secure folder, that can be accessed either by law or a hack device, so don't try that as an idea.

To clarify, random people can't hack your phone, there are companies that create phone hacking devices and only sell them to police and governments. So while I say all this is possible, it would never happen unless some government or police said so.

In terms of general device protection. Use a long pin or password as the unlock method. If using a pin, don't have it auto unlock without pressing ok. Having to press ok means attackers don't know the pin length.

Have auto blocker on set to max, if on the beta, enable advanced protection too.

In the google part of settings, delete your advertising ID and turn off diagnostic data for google and samsung within your phone.

Make sure to make full system backups using a pc. In the smart switch app you can enable extra backup security, backup to a pc you own, now you have a secure local backup.

If security is your worry, google offers the advanced protection program. You need physical hardware keys to enable it. It basically locks your google account to only login if you physically prove it's you with a usb device

So on the travel phone you do backup with enhanced data protection and VPN (Cyberghost/Surfshark,etc,etc) and keep the bootloader locked?

On the travel phone just don't keep any data on it. The idea is your phone can always be accessed, so keep your personal data at home. Enhanced data protection only affects backups and the bootloader doesn't really have anything to do with keeping your data safe. An unlocked bootloader lets you install other operating systems on your phone, but doing so wipes all data on your phone.

Keep developer mode off, don't connect to free WiFi, you don't need to bother with a vpn unless you really like free wifi.

For the average person, your phone would never be searched and you'd be fine. It's just all of what I've explained is possible and could happen

And for browser old Tor Beta apkmirror?

Is Samsung servers vulnerable or have they been hacked/hijacked/leaked before?or not?