I’ve heard and seen folks say rooting Android is a huge security risk and adds an attack surface, but haven’t seen anything to support the claims, really. Yes it’s less secure for the average person, who doesn’t know anything about security, to root an Android, but to say it’s completely insecure without any supporting explanation (not you in particular, just in general when this is said) doesn’t help. I like to imagine it like installing Linux and being told to trust the distribution you installed, but they disabled root and removed sudo because it’s insecure.
The reason I root is actually for both security and privacy. Without it, I can’t use custom firewall rules to restrict apps and system processes from reaching out to the internet or local network devices (AFWall+), have a local hosts setup (Adaway), run a VPN to my home network (Wireguard), and monitor all app network process calls (PCAPdroid) at the exact same time. It also prevents me from being able to create custom cron jobs and custom system changes I need that have only root access.
Being that I am also home 95% of the time with my phone on my person at all times, physical attack surface is less concerning for me, too.
With that all being said, the (assumed) excuse that “malware” is the security risk with root makes no sense to me because whether or not I have root access, phone malware probably doesn’t need it in most cases since they’re exploiting non-root things so that they can target the majority, not minority. Not to mention I rarely ever even install apps on the phone and most of my web surfing is done on my laptop, not my phone.