Before we even start talking about securing your smart device, you should note that depending on the use case, you might simply not want to carry one with you in some situations. Smartphones are the backbone of the surveillance state: they can tell where you are, who you are contacting, and be hacked a bit too easily for your comfort if you work on a really sensitive issue.
They are even worse if you have a virtual assistant activated (Siri, Google, but also Alexa devices in your home). While they remain silent until you call their name, they have to listen to everything you say (and transfer it to their company servers) to be able to understand and react to your call. You can live without these, and should.
Recent Android devices are encrypted by default. You can check this in Settings > Security > Encryption. A reasonable passcode should be adopted if you plan on not making your device too accessible.
This is also the case for recent IOS devices. You might however want to add a secure passcode in Settings > Passcode. If you back up your device using iTunes, you should also encrypt the backups (check the Summary tab).
Note: Samsung devices also offer an additional layer of security with the Knox Secure Folder. This allows you to move documents and apps to a folder protected with a hardware key encryption.
Current smart device operating systems (iOS and Android) should give you a lot of information and control over what the different apps you are using have access to on your phone or tablet. Whenever you install a new application, you should ask yourself whether the authorisations it requests are relevant or excessive.
Depending on the app and the scope of its requirements, you should probably reject these requests or renounce installing it altogether.
In some countries, including the US, customs officers have a right to access and copy data from all your devices when you enter the country. You can refuse them access, but this carries risks of non-admission into the country. EFF published a travel guide (2017) on the subject, and ACLU presented an explanation (2018) of what you can and cannot do in such a situation.
Their recommendations include travelling with as little data and as few devices as possible, encrypting devices and shutting them down, as well as storing data in a secure cloud-storage account and disconnecting it before crossing the border. Using a burner phone (i.e. not your usual device) when travelling for sensitive research could also be appropriate.
Biometric identification (fingerprint or face identification) is a double-edged sword. On one hand, it means your phone is harder to unlock when you are not present. On the other hand, bad actors can force you to activate your device without your consent: in some countries, you are not legally bound to give your password to law enforcement, but they do not need it if they can just point your device to your face and unlock it. A device cannot detect your intention, whereas entering a code requires you to do it willingly.
In case of theft, you might also be interested in options for remote deletion of your data using "Find my" (Apple) or "Find my device" (Android).