I’m using FP Open with Xposed and XPrivacy. After an update is installed with the Fairphone OTA app, Android is booting without Xposed enabled. This means apps aren’t restricted by XPrivacy. With some apps possibly running automatically at boot, this is a security issue (e.g. commercial apps making network connections that are temporarily able to access e.g. the real device id, network provider, non-whitelisted contacts, etc.).
Ideally Xposed would be enabled in TWRP after applying the OTA update ZIP, but I’m not sure if this is possible at all.
Currently I’m waiting for the OTA update to have downloaded the file, started the update process, and when the message changes to something like “restarting” I’m quickly going to flight-mode. This at least allows Android without Xposed to boot with no network connection. But it is tricky to get the timing right. The updater either stops the update process, or crashes when it loses WiFi before restarting, even when the file is fully downloaded.
The ideal solution would be to allow TWRP to install additional ZIPs after an OTA update, so that there is no boot with Xposed disabled (assuming it doesn’t result in a messed up system …).
My feature request for the OTA updater would be to not require WiFi anymore after the file is downloaded.
I guess the easiest way to go would be downloading and installing updates manually via TWRP (see the #updateguide@vthejay links below).
On Lineage OS there is also the possibility to make system modifications survive OTA updates - I don’t know if this is theoretically also possible with Open OS (maybe it’s a specific Lineage OS or Android 7 thing?).
So you could also switch to Lineage OS, but there XPosed is not (yet?) officially supported and you’d have to check whether the unofficial XPosed supports XPrivacy with all it’s features (EDIT: Oops, I completely missed the news that XPosed was already official for Nougat, I only tried the unofficial one from back in the days. Maybe I should give it another try - I do miss some XPrivacy and GravityBox features).