I agree with the sentiment, but it is harder and harder to find truly "dumb" devices anymore. USB has a complicated (and vulnerable) firmware stack. Monitors have hackable on screen display controllers. Unless you want to go back to VGA... Just saying...
In this context, I think of two things: hackable spying and data exfiltration.
If a device runs processes that can be hacked so that it can report on your activities. Capturing the display or keyboard input would be examples. This generally requires an active network connection, but not always. Because this device runs a version of Android, it’s potentially hackable (I’m not saying it isn’t secure, just that it would have to be validated).
Second, if a device can store or transfer data, it would be possible to send confidential documents out the door without knowing about it. Because this has on-board storage (and is small), it has this issue too.
A monitor, even if its OSD/firmware was hacked, is much less likely to be able to do either of these things.
There are industries that have real concerns about data privacy and security. In these cases, the dumber a device, generally the better.
Dumb devices can have smarts; they just need to be incapable of shenanigans. Maybe a monitor can be reprogrammed to capture screen shots, but without storage or a network connection, that isn't useful.
What about a firmware flash that nukes the Android part and makes it behave as a display, which hopefully you can flash back to your OS if policy or usecase changes?
I would think the main thing would be no network hardware and ideally no network stack. After that, a minimum of local storage- nothing persistent outside of firmware, and certainly nothing that would provide any type of file system visible to the host computer.
From a compliance POV what's an acceptable alternative? Would some unix variant be any more palatable?