The first step is buying devices from reputable vendors and trustworthy resellers to minimize the likelihood of malware being pre-loaded from the factory or while in transit.

Given the size I suspect this is also a common attack vector.

Also,

Android TV devices should have their remote access features disabled if not needed, while taking them offline when not used is also an effective strategy.

Is this a thing? Why would a TV have remote access features?