Hi @goody!
I’d also say that disk encryption is the way to go for you.
Power off your phone and press and hold Volume Up + Power buttons.
No, TWRP is not included in the FPOS. It’s a custom recovery image replacing your stock recovery. You can find an installation guide for TWRP and XPosed in the topic Porting TWRP recovery. You can skip all the building stuff there and just scroll down to “Versions” and “Installation guide for the compiled recovery.img”. I repeat the installation steps here in short, just to demonstrate you that it’s not that complicated (please refer to the extensive guide when performing the installation):
- Make sure you have
fastbootinstalled on your PC. - Download the TWRP image from the above linked thread.
- Boot your phone into fastboot mode (press and hold Vol Down + Power buttons) and execute the following commands in a command line:
fastboot devices fastboot flash recovery <TWRP-image> fastboot reboot
where you have to replace by the (path to the) image file you’ve downloaded.
If there’s stuff you don’t understand, feel free to ask about it, but please read through the linked post and search the forum and the web before.
Apart from cyanogenmod’s, or other custom ROM’s built-in permission manager (which you’d need the respective customROM for), I’d only recommend XPrivacy. There are other permission managers, but as far as I know, these are not open source. XPrivacy is and moreover, it’s stable, well-established, has worked for years now and it’s relatively easy to use after some time of familiarisation. There is a really short introduction topic on it and you’ll find more info in the forum and the web.