While I agree with most of the sentiment in this thread that attaining security and privacy in a mobile device is, to say the least, an uphill battle, let's not devolve into xenophobe mockery and state some facts, shall we? Paranoia begets curiosity, and curiosity begets knowledge

It all depends on your threat model. Commonly, one assumes that everyone is Out To Get You™. In this case, this implies that your carrier and the government cooperate. So this means that The Man knows about everything you send to or receive from your carrier. While you're logged into the mobile network, this includes approximate location data.

Even if your carrier doesn't cooperate fully, law enforcement can send a Silent SMS message to your device. This doesn't really do anything, but connection logs are generated at your carrier's facilities which can be requested on short order by the police.

Your device includes a GPS receiver. That in itself is not a risk. However, most producers of GPS chipsets (and thus, firmware) operate under the assumption that GPS radio data is always genuine and this means that it's automatically trusted. One simple attack is spoofing GPS satellites telling your receiver that it's equally far from all satellites it sees (which might be all that exist), in other words, that you're located in the center of Earth. Quite a few receivers hang, crash or overwrite their own memory when confronted with such input.

And of course, using GPS as a "secure" time source is ill-advised.

GSM is susceptible to man-in-the-middle attacks. Although the client authenticates against the network, the network doesn't authenticate against the client. UMTS fixes this. You need to force 3G in order to be secure against that. Even then, network certificates could be forged by a crafty attacker.

I'm pretty sure that tablet mode wasn't designed for any sort of security-sensitive scenario. Changing your IMEI would, in my limited view, only make sense if your current IMEI was somehow tainted or if it could be repeatedly rotated. Even then, your IMSI is fixed.

This just off the top of my head. If you insist on security, you'd do better with a laptop with Linux. In the extreme, the RMS approach.

Oh yeah, encrypted connections relying on certificate authorities aren't all that hot either, but I'm sure you knew that.

As juiceme has stated, device procurement is a headache even for big governments like the USofA's. At some point, you need to root your chain of trust somewhere.

Edit:

Did you hear about the NFC vulnerability paper? Yeah, the N9 is vulnerable, too. Because libpng in harmattan is old and vulnerable. Great, eh? This is an issue for all vectors where PNG images could come through. I.e., your browser. I don't think JPEG does much better. I'd even expect it to be worse.

And "Bluetooth security" is probably an oxy*****.