Use calmly. If there are no third-party applications, and the permissions are configured, the chance of losing money from the card is minimal. This is already from the category of paranoia. If you are still nervous - use the latest version of a third-party browser (for example, Mozilla), disable JS for all websites except trusted ones, and install an antivirus + firewall.
If you wish, look for new firmware for the desired device. If you are completely paranoid and there are no more new firmware - sew a custom rum based on the image from the Android SDK
And so, I repeat, there is no practical sense in this. There are always vulnerabilities. Only ordinary people will not be broken by a specialist. And even if this particular tablet is hacked, two-factor authentication will not allow an attacker to use your funds.
Better think about using a mobile phone (mobile banking, transferring confidential information via telephone). Algorithm A5 (still used in the GSM standard) breaks down after 8 seconds of conversation, and the replacement of the base cell is made easy. And if you reboot the phone from under the changed base cell, the attacker will easily get your iccid and imsi and will be able to emulate your sim card with all the consequences. And you won't even understand it. A van is parked in the yard, and the phone will not even understand that it is connected to the left base station. And someone is already clearing your card with bank transfers via SMS.

If you do not put anything left and do not download - you can not worry. Especially only a home network.

For two-factor bank authentication, use a separate blunt push-button brick mobile phone.
Even though I don't understand these people.
Why take the risk and use any version of the smartphone OS for banking? Do you ever need to make a purchase so urgently that there is no way to get to a stationary PC?

I'll just leave it here: https://www.anti-malware.ru/news/2018-08-30-1447/27309
"And so they have everything ..." In the sense that vulnerabilities of this level are constantly found in android that the user often does not require any action at all, it is enough to have bluetooth or WiFi turned on on the device. And these vulnerabilities are fixed only in the next major version.
As for your particular case, you can use an android, but I would have a separate card for linking to the device. And on this card I would keep a couple of thousand, and if the purchase is large, then I would transfer the amount to this card for payment immediately before making the purchase.