Only real way is never connecting it to the internet. Otherwise you will always have a vulnerable server with the only hope that it's not a mainstream server and by that not that much threatened by script kiddies and mass scans
I guess in this use case removing the cellular access and only using it on LAN would be good enough?
Edit; second though NO. Clicking a bad link with some browser exploit on it will still get you infected in that case. So you couldn't use this to browse the internet safely. Still as a Termux only tool seems safe.
Unlike on iOS, your browser runtime is not tied to your phone. Most phones come with Google Chrome as the default browser which no longer gets updates below Android 7, but Firefox still gets updates on Android 5.0+.
With an up-to-date browser you run about the same risk you run if you're using a computer. The kernel exploits are problematic, but Android also adds annoying sandboxing that requires a lot of device-specific exploit code to bypass properly.
Realistically, even if just the browser was exploited and the kernel and runtime around it were perfectly secure, you'd still have a huge problem. Your browser is where all the access tokens and passwords go into and where your search history is coming from.
I wouldn't bank on these long unmaintained devices, but I think they're fine to use for most people.