My friend says that i should not use firefox or any firefox based browsers on android. The reason is they lack sandboxing and site isolation or something like that 
should i be worry ? Can someone explain me is it ok to use fennec ? Or i should use other browser ?
They provided links to exploits too, yes?
Firefox actually does have site isolation: Introducing Site Isolation in Firefox - Mozilla Security Blog
But its way less mature than chrome’s and even less so for android. Last I checked its disabled by default on stock firefox(fennec).
Firefox also has Sandboxing Security/Sandbox - MozillaWiki
As Licaon said, I can’t find any examples of anyone exploiting its supposedly “weaker" sandbox and site isolation. Unless you have a very high threat model you should be good. Although I suggest ironfox personally. As it enables these settings by default and other hardening adjustments.
No they dont 
Thanks for information.
What about fennec is ok to use ?
Umm ya they do, and have for years…
To be fair, I did recommend Ironfox > Fennec.
The experts at Grapheneos explicitly warn against Firefox, especially for android:
They again give no examples of exploits…
If theory scares you, use something else. I’ve been pretty happy with cromite myself…
…they also explicitly warn against F-Droid 
I missed that until you mentioned it, more theory without CVEs. I looked, but can’t find exploits tied to F-Droid’s signature process or other complaints.
Then they push Obtainium in the forums… I’m personally not a fan of Obtainium or its lead dev.
Can you share why you dont like Obtainium ?
Do you think getting apks from github in general are not perfect?
I avoid it for two main reasons.
Technically, I prefer the centralized security of signed repositories like F-Droid over blindly scraping APKs from GitHub. While F-Droid does shift trust to a central team, that tradeoff buys you guaranteed FOSS builds. F-Droid builds from source and strips proprietary trackers, whereas Obtainium just grabs whatever binary the developer uploads, which often includes closed-source libraries not present in the code. Plus, relying on web scraping means updates break whenever a dev changes a filename, and you’re constantly hitting API rate limits.
Of course there are benefits to either method and I’m a bit biased… But, you don’t need a separate app, and IMO the most secure path is to use F-Droid Client but add the Developer’s Official Repo. (e.g., using the Guardian Project repo for Signal, or the NewPipe repo)
Culturally, the developer used their official tutorial content to glorify Luigi Mangione, portraying the accused murderer as a saint. Regardless of politics, I don’t trust system-level maintenance tools built by people who use their project’s documentation to glorify accused murderers.
Thanks for answer.
Is there a difference between apks that come from github and the ones that come from developers official fdroid repo?
They debate the differences in this forum:
So, should I switch from fennec to chromium based ones? Previously I was using chromite which is the fork of bromite and it was good but it lacked some normal features and extension like ublock etc. although using the script and dns did worked well. But I thought this browser is little older and don’t have up-to-date things. So, thats why switched to fennec. But after reading this conversation I am bit concerned now. 
I dunno, I use the one built by F-Droid… 
I keep IronFox with uBlock’s dynamic filtering as a compartmentalization browser for specific tasks, but I’ve switched to Cromite as my default.
Android does isolation way better than most desktops thanks to mandatory per-app sandboxing with SELinux and isolated processes. A compromised browser renderer is confined to the app’s scoped data by default.
But you should still be cautious, sandbox escapes via kernel flaws or shared permissions (e.g., storage scopes) are possible, so layer on work profiles, verified F-Droid APKs, and minimal grants for safety.
Current Android versions like 14, 15 have better security permission handling than previous ones. So, they are generally safe to use with it unless app is truly compromised and you are throwing all permission without checking the app permission and its intent not questioning why this need that permission etc.