Sync doesn't introduce a security issue. Neither does unsigned package installation, as long as you don't install a package that introduces a security hole.
USB debugging is obviously a huge security issue, but you can have USB connections not work with the phone locked, such that you have to enter the password and unlock the phone before you can attach.
The real security problem: remote package installation, which Android allows without prompting for anyone signed into your Google account. So, that reduces the security of your full-disk-encrypted phone to that of your Google account, if you tie your phone to a Google account. You can avoid that by not using a Google account, but that means no Play store.
USB debugging is obviously a huge security issue, but you can have USB connections not work with the phone locked, such that you have to enter the password and unlock the phone before you can attach.
The real security problem: remote package installation, which Android allows without prompting for anyone signed into your Google account. So, that reduces the security of your full-disk-encrypted phone to that of your Google account, if you tie your phone to a Google account. You can avoid that by not using a Google account, but that means no Play store.