How did you attempt to remove the packages? Using opkg remove will actually end up consuming more space, and it will not free up any at all because the packages are 'baked-into' the firmware ROM and cannot be deleted.
Very unlikely to fit, but you can try.
I'm not sure if you're going to be able to fit this in, but you can try.
Security concerns typically only surface after your systems have been compromised and you look back wondering what you could have done differently. Don't underestimate the damage that can be done just by nabbing the password for your email, as an example.
But that notwithstanding...
You need to build your own custom image using the image builder. Follow this guide for what you can safely remove -- this needs to be done in the image builder 'recipe' to actually remove them from the base image.
You can take a look at my thread about doing a similar minimalist image, but in my case it was for a print server that does not have/route internet access (so I was able to remove -- or try to -- more than you can). You will need to keep the firewall and dhcp server and a few other things. Add wireguard into the image (it's more space efficient than adding it later because the image itself is compressed), and add a minimal LuCI to see if it will fit. You may have to spend a lot of time playing with the exact packages that will fit.
Oh, and one more thing -- you may run into issues down the road where settings get lost. That happens if the flash memory fills up and it can no longer write the config files. This will even be a risk if you change (not add) a config element such as the upstream wifi network credentials.
Another thing to note: I believe your device has only a single radio. If you attempt to run a wireless uplink (sta mode), that must be able to be established before the AP mode operation can start. If the upstream network is not available, the AP will never come up. There is a solution for this called Travelmate, but it's highly unlikely that you'll be able to fit that, too. So plan to always have a system with ethernet so that you can actually connect to the router if the wifi AP won't come up.
Yes, I am also using 18.06.9 on a 4/32 device for my print server, but it is on a trusted network and does not have access or exposure to the internet.