1. Buy pixel
2. Install grapheneOS
3. Do not install google playstore, it's optional
4. Create a non-admin profile for him
5. Done, nothing else can be installed by him

Regarding phone calls, I don't know if that is possible but it would be an interesting feature to implement (a whitelist for calls instead of a blacklist), you can suggest that to the devs, they are very responsive.