Mainly the OS has security options to prevent IME network connections that aren't always on by default, but users can enable them. (They might be off because it disables some features that need internet access.)
IIRC there was also some Android API that could be used in the app to help, but I don't remember what it actually did atm.
Perhaps your man the incognito keyboard option? Signal uses it, but no API I can imagine will protect against a malicious IME.
Worse still, even if you block IME internet access on a device with a factory-maliciois IME, they could just upload the data using some other service on the device.
Installing a known-good IME seems like the only fix I can think of?
IIRC there was also some Android API that could be used in the app to help, but I don't remember what it actually did atm.