I have had a lot of debates about Roku's not only not having adequate Privacy but actively snooping on what you watch then sharing your data.
When discussing privacy with people I ask them how they would like to be searched when they entered a supermarket and to have photos of their personal items taken, to have details of what they do, where they have been, who they connect with, what they say collected and shared with typically 400+ data sharing agencies who then go on to share their data with anyone they can get to pay for it.
Of course they say they would not tolerate such behaviour, it is one thing to not consent to such behaviour but again I ask "how would you like it if despite you declining to consent they shared it anyway on a spurious assertion of having a legitimate interest to take your data whether you consent or not". Again they do not like it and are mostly unaware that most of the cookie widgets on websites do not even give them the opportunity to object to that alleged legitimate interest.
The data by itself is not much but when you combine it with other data it becomes very personal and a massive invasion of your privacy.
What is more frightening is when you are refused things like insurance because of this data or offered higher prices because you have been determined as a gullible fool by these metrics.
I was thinking about Roku and what kind of product it should be like and I came up with a Garage. Roku is a container for your apps (cars), the Roku channel is tripe, even for the most bored and rapidly deleted. It is the device that matters as a container for other apps.
Time was when you could side load apps into OEM versions of Roku, but Roku sold it's soul and blocked that, now those devices are in Landfill, thanks Roku.
Now if you extend your home and put a Garage on the side you do not expect the builder to put up advertisement hoardings in and on your Garage, nor do you expect the manufacturer of the construction materials to embed spying devices and to share the data they collect. Worse still you do not expect them to leave a hidden back door where they can install any new spyware they want.
To me the worst thing is the lack of the ability to refuse to participate in this data collection and data sharing.
Ironically it seems I would be safer buying a Chinese device that may have CCP spying because they will not be sharing with the 400+ data collection agencies nor be able to influence the decisions of western companies on prices I pay or services I am able to take out.
I wonder is there a community of ex-roku staff who have the skills to fork old firmware into a robust and resilient firmware that does not have the privacy issues or the data sharing and that blocks Roku from updating. I do remember some years ago I was able to block the servers (on my router) that Roku uses to update but that was on an old router and I neglected to save the information.
Does anyone in this community have the details from Wireshark or similar to identify where the updates are served from etc.
You already have the ability to refuse. Don't use the product. I agree that is a lousy answer but it is what it is, at least for now.
On the other hand, the rest of what you're suggesting is not a bad idea. That may be possible. It would void the warranty on your hardware but many have made that sacrifice willingly with many devices. It would actually be cool to be able to install an open source OS on Roku's and other similar devices, and it wouldn't surprise me at all if there's already teams out there somewhere already building open source alternatives to big name streaming device OS's.
Have you Googled it? I'm guessing probably and you didn't find anything yet otherwise you most likely wouldn't be here discussing it. There are quite a lot of folks out there discussing it. Discussions like them usually develop into, well, actual development. I would keep an eye out and look around. Something will probably start popping up at some point.