There are 2 answers to this.

Security

From a security point, Firefox on Android does not isolate processes and not even itself in a good way, so it is a total security mess.

You should not use it, but use Cromite or Brave, Vanadium on GrapheneOS. Note that most FOSS “privacy browsers” that have a download size of under 100MB will use the system webview and also not be able to isolate processes.

Usability/Privacy

Use Mull, disable keeping history (but do not enable “delete cookies”) and use “Cookie Autodelete” to replicate what Firefox desktop can. You set it to delete all cookies, but you visit sites where you want to stay logged in, open the popup and whitelist only them. You “outsource” the cookie cleaning to the addon, as FF mobile doesnt have this feature.

I do it like that on mobile and desktop, delete all cookies and only keep those where you want to stay logged in.

On Mull also install UBlock origin. If you want security and an opt-in approach, install NoScript too and set “default” to not allow any javascript. You will need to “unbreak” every site you visit.

This approach will spare you of hundreds of embedded javascripts on websites, and you manually allow only what seems okay. (You mostly never know if it really is, as Javascript is often obfuscated). This is good for privacy and security.

the theory behind this

Adblockers and malware scanners use “badness enumeration” which means “allow everything but block a, b and c”. This is fundamentally flawed, as malware can easily change “how it looks” (encode and decode again, or use randomized obfuscation) and with ads you will always have to keep track of changes.

The list of malware and ad sites will grow and grow, slowing down machines and consuming tons of processes.

Noscript and the cookie approach are the opposite, you block everything and the list you keep is only as big as the stuff you want.

fennec is good. You can also use the normal browser for sites where you are logged in / trust. And the private tabs for anything else