Btw, you can even run a executable file which has been renamed to any extension (.txt or .whatever) in command line. (See PATHEXT env)
It just recognized by the explorer (and shellexecute api’ third parameter).
So that’s mean all files have “executable” permission by default.
You could try adguard (android version), but it is paid.
And the biggest problem is most of sites are already upgraded to https, it needs MITM attack, but lots of applications won't accept any user certificate... (so adguard needs be installed to let those apps bypass its proxy, that's mean, you cannot just host a central proxy server to filter all ssl traffic)