Doing a factory reset and full storage clean is the way to go here. Service will not fiddle with kiosk apps or the like. To my experience, they wipe your device anyway – so make a good backup and wipe it yourself.
Don't forget (to backup and wipe) your internal SD card – and simply keep the external with you.
For details on how to achieve that, please see: How to make a complete factory reset, without anyone being able to retrieve my data – asks for a different reason (selling a device), but with the same goal (protecting (or rather completely wiping) your personal data which resides on the device). And while the answer there gives detailed background, here come some points for the doing:
- backup whatever you need (and can be backed up)
- if you've got an external SD card, simply take it out and keep it. What they don't have they cannot look at.
- as you want all data on internal storage gone, just wipe that completely. Easiest way for that probably is:
- remove any Google Account you might have configured, to avoid tripping FRP
- perform a factory reset, then
- turn on full device encryption. Let it encrypt the entire device.
- optionally, copy some files to it
- perform another factory-reset, turning device encryption off
By toggling device encryption on and off again, the entire storage should be overwritten (without you requiring root permissions to do so explicitly). This makes data recovery very hard – actually, nearly impossible; though Forensics might have their ways, that would be far too expensive for someone simply curious unless that someone knows there's something of value to be found.
PS: All that of course assumes you are still able to perform those steps. If e.g. the device no longer turns on at all, chances are rather low to achieve any of those details.