A little addition: If you want a even higher level of security, which is nobody except you can flash packages in recovery, you can create a recovery with limited functions and forced signature verification, with your own keys embedded in that recovery.This is just like the original status of nearly all Android devices when they are shipped: only signed OTA update packages can be applied via recovery. Normally, the packages are signed by OEMs; however, you can become the "OEM" by creating your own private key, which is used during package signing.Just follow these guides to create a recovery with your own keys. I use CM 13.0 recovery, since it only has basic recovery features, including installing a ZIP file, factory reset, and it has mandatory ZIP signature verification.The reason why I don't use TWRP is that it allows update packages with any signature. Although you can enforce signature verification, it can also be switched off in TWRP settings.Now you get a recovery which only accepts ZIP packages that are signed with your own private key. The only downside is you need to sign every package you want to flash each time. But this also means that if a stranger picks your lost phone up, they can't tamper your phone's OS. If the "reset protection" feature works with locked bootloader on our Redmi Note 3, the only distance between our phones' security and Google devices' is edl mode and encryption.