Yes, just create an empty room with only you inside

Couldn’t you use HMAC with shared secret key to authenticate messages while keeping plausible deniability? Since the key is only supposed to be known to the 2 parties, the recipient can deduce that a message was actually sent by the sender if he did not create it himself. I think that’s what OTR was using.

Gocryptfs or CryFS. Many GUI available (Vaults, SiriKali, Plasma Vaults). Android compatibility with DroidFS.

DroidFS does not have Internet permission so any data exfiltration is prevented at the OS level.

Of course, but v1.x only supported gocryptfs. Also, new encrypted file systems may be added in the future.

DroidFS can open existing volumes. Just click on the “+” button in the bottom right corner, then on the folder icon, and then select the volume directory.

To type with only one finger, there’s 8Vim.

From a security point of view, it’s better to create a dedicated network for each of your containers, as apps won’t be able to communicate with each others directly.

You can even not setup networking at all and use UNIX sockets instead. However, back-end apps will need to support that.