Your bank specifically requires Play Protect? That’s odd, I’ve never heard of something like that before. I’d still check this list to see if it might be compatible with GrapheneOS: https://privsec.dev/posts/android/banking-applications-compatibility-with-grapheneos/
You can get a Pixel 7a for under 300 EUR, and it is supported until 2028, so you don’t lose out on updates.
Yes, I know, draw.io theoretically isn’t entirely open source, but the source code is available and it can be self-hosted. Honestly, that’s good enough for me, I think I can make an exception for this one. But generally I care a lot about strictly using FOSS too. It can also be integrated with Nextcloud: https://apps.nextcloud.com/apps/drawio