Relocking your bootloader cannot protect from apps, Verified Boot will however protect against that on devices where it is supported/enabled.
It however for example can protect against someone with physical access from flashing a modified keyguard that saves your password or other nefarious things.
As for the microphone on shamu, that is likely broken by the deblobber.
For shamu it removes libmotaudioutils.so and libspeakerbundle.so
Can you post the output of:
abd logcat -b all -d | grep -i -e dlopen -e .so