RethinkDNS (available on F-Droid) has a mode where it blocks every connection by default and you have to allow each app to access the network. I used that to effectively disable the pre-installed malware on my Android TV box (X88 Pro iirc). It also has DNS and connection logs to check network traffic (can be a lot though). GlassWire (Play Store) is nice to quickly check for an unexpected amount of network traffic. Not sure if there's ways around that, but it worked in my case a while ago.
I'm not sure about my phone, maybe I'd like to keep Google Lens, but on a TV box it seems completely unnecessary. Its identifier com.google.android.googlequicksearchbox also sounds like it shouldn't contain anything important for the working of a device, but who knows with Google. Is there anything unexpected that would stop working when uninstalling / disabling updates for this?
https://www.dannyvanheumen.nl/post/secure-boot-linux-shim-mokmanager/ seems to be a good introduction to the concept. Your distribution should have specific documentation on how to make custom kernels and secure boot work if you need more details.
If you have already made a certificate and imported it with mokutil maybe you just need to select the MokManager.efi from your screenshot and start that to enroll the key.