I wanted to share my personal experience with regard to blocking certain system apps which according to the official wiki on Github should be set to allowed. So this isn't meant as a guide, but maybe someone finds this useful still. Also, others may chime in with their findings.
Setup: Galaxy S10e, latest stock firmware, Android Pie, Magisk rooted. Gapps disabled, including Play Services.
---------------------------------
(gps)
- Since I'm blocking almost all other system apps, I'm allowing it (via VPN). Otherwise I won't get location through Osmand/Gmaps.
(Kernel)
- Blocking it. The other day when I checked the log, it listed some Italian host that according to Whois belonged to an Italian garment/textile company. This is just an example of a cursory look at the connections apparently going through (Kernel) which I can sleep better when blocked. Call me lazy for not investigating everything down to the last 0s and 1s, but as long as I don't know and have no reason to trust, I go for block. As justification for giving (Kernel) the green light on all connections, the wiki solely mentions "cases where it needs to be enabled for all connection types", without going into detail. I've read that when deactivating DNS via netd, it'd be mandatory to allow all connections through (Kernel). Note that even though I have disabled netd, I've noticed no issues so far in everyday use of the phone.
(root)
- Blocking it. See (Kernel). Said to be mandatory with disabled netd, but no troubles here yet.
(media server)
- Blocking it. Just like (Kernel), no issues thus far. Naught showing up in AFWall log, either.
(shell)
- Blocking it. Same as (Kernel), the wiki mentions obscure "cases where it needs to be enabled". However, in everyday use I haven't seen such cases yet. Nothing showing up in AFWall log.
(configupdater)
- Blocking it. The wiki recommends to never block it. Guessing by the name of the APK, this one might be related to Google services. Since I don't use any Google apps or services, and have had no probs (no connection tries logged, too), I don't see why this should be allowed.
(downloads, media storage, download manager)
- This one is weird. I always thought it is, as the wiki also states, "required for apps to download content". However, blocking it yields no conceivable downside. I can still access web content via my apps, receive messages, download files, for instance apk updates. Makes me think my AFWall is broken.
(android system - 1000)
- Block. Again, the wiki recommends allow all. But on stock Samsung phones, a lot of APKs that I don't want to "phone home" share this UID. So unblocking it is out of question for me, unless someone convinces me it it'd be essential for security. I used to get an ugly exclamation mark on my wifi icon. Disabling captive portal check as instructed by various guides didn't work for me, it was still there. So what I did was follow
this guide (German) to set up an alternative captive portal check destination. I then added that IP as an IPTables exception in AFWall via custom script, so that even if 1000 was blocked, this particular connection would still go through.
(intent filter verification service)
- Blocking. In a discussion on AFWall github an intent filter is mentioned as a security feature, and that it should never be disabled. However, I guess that an intent filter verification service is yet something different than an intent filter. In any case, I never saw any blocked connections from this UID in the log. How can that be if it's such an important security feature that needs internet access and should never be blocked?
-----------------
So that's it. The only system apps I've allowed are (gps) via VPN and (ntp). The phone's apparently been running fine for a couple of days. There is no one size fits all approach for blocking system apps. Everyone needs to make their own decisions based on their setup and go for trial and error.