As a please-eli5 post, I direct you to this, which is a list of recommended first steps to follow. This wiki guide is about avoiding big tech/surveillance capitalism. As for passive attacks, Privacy Guides defines it as follows
Being protected from things like malware, data breaches, and other attacks that are made against many people at once.[1]
To protect yourself from malware, use common sense practices. Keep everything updated to receive the latest security patches (this was gone over in the first steps guide). Using a specific desktop/laptop operating system doesn’t matter as much for passive attacks. Just don’t download random and untrustworthy files from the internet. Don’t run random and untrustworthy files on your computer. If you need to open a PDF randomly downloaded from the internet, use Dangerzone. If you need to run or open anything else that might be shady, use a virtual machine. Mobile phones are a good entry point for malware, so use a secure operating system like GrapheneOS.
The harm of data breaches are mitigated by using randomized passwords generated from and stored inside a recommended password manager (which the first steps guide should have covered). Their harm is also mitigated by email aliasing. Don’t reuse usernames unless it is intentional. Use data removal services to remove personal data floating around brokers. Use virtual cards like Privacy.com. Delete any account you don’t use anymore. Keep your real phone number away from the internet. Use masking or SMS services. MySudo has virtual phone numbers, but they are primarily recommended for their virtual cards. There’s no consensus other than that on which SMS service to use, but there’s talk about it on the forum here, here, here, here, here. There’s also a PR draft in progress 
.