Best setup to augment privacy journey

Hi everyone! Newbie here.

I recently switched to GrapheneOS on the latest Pixel, which feels like the most private phone setup possible. However, my broader tech setup feels far less private or secure in comparison. Previously, I used an iPhone, Apple Watch, iPad, and a laptop running Fedora. I now want to streamline my devices while maintaining a balance between privacy, security, and convenience.

After reading about the lack of robust permission management in desktop OSs, I’m considering a Pixel Tablet with GrapheneOS, an iPad, or a Mac. While Fedora on a laptop is strong from a privacy perspective, it lacks features like secure elements, protection against brute-forcing, and proper app permission management. Given that human error is often the weakest link, I’m trying to minimize risks.

Here are my thoughts on possible setups:
1. Pixel Tablet with GrapheneOS: Likely the best combination of privacy and security, but the current hardware is too limited for my needs.
2. iPad: A feature-rich, secure device with great permission controls. However, I’m concerned about reduced privacy, especially if data like location or files are accessible to Apple, even without relying on their services (e.g., iCloud).
3. MacBook: Offers more freedom (e.g., skip Apple ID, download apps) and better privacy than the iPad, but similar concerns about Apple’s access to location or usage data.

For now, I need a laptop or equivalent device for work, storing important files, and syncing with my GrapheneOS phone. While my phone remains secure, syncing could expose data on less secure devices.

I currently use an Apple Watch for fitness tracking and reminders (on airplane mode with GPS off), paired with an old iPhone left in a drawer. I will try to convert it to a standalone later on through a Family Setup.

Separately, I run a VPS for a home server (TrueNAS Scale) but am unsure how to make remote connections more private. I’m considering Tailscale but don’t want ISPs to track where traffic is routed.

Threat model:
• Generally focused on avoiding tracking, surveillance, and scams.
• I live in a totalitarian country with nonexistent human rights, so there’s a real risk of being detained arbitrarily. For this reason, I aim for plausible deniability and data security while maintaining convenience. Though, I’m not looking to go full nuclear (e.g., QubesOS)

Lastly, my concern about Apple has grown since they recently appointed a local representative to handle government cooperation in my country. Although Apple has ignored government requests in the past, I suspect this might change, potentially leading to invasive surveillance measures.

Any suggestions on how to optimize my setup for privacy, security, and convenience?

The one piece of info, to me, that seems to be missing is what about your current setup is not meeting your threat model?

I would also caution you about aiming for plausible deniability. If there is a risk of arbitrary detainment your goal should be to minimize the amount of data you have on you that could cause you issues if you are detained.

Yes, pretty much. What I’m doing right now is only a part of the equation. I try to approach my goal slowly to not crash).

For the plausible deniability, I only need to hide services that contain/have access to any private information they want (eg password manager, browser data, files, photos). I love gos for that since I can just put anything affecting my life if leaked in private space or profiles that I can delete in an instance. I also have a simple password for duress that is visible in the obvious place for them to enter. VPS via smth like iPad could probably achieve the same, but it would leave the connection traces behind.

I try to leave as much on the cloud as possible and only have files locally for something I’m expected to have.

Put TAILS on a USB stick. That’s a must have and simple to do.

Would using a USB dock with screen, keyboard, mouse, and external SSD be enough?

Congrats for transitioning to GOS, that’s very great ! Now honestly you just got to choose between Pixel Tablet, iPad or MacBook.
I think that all three are good choices and that you just have to USE them well in relation to your threat model.
I personally use a Macbook alongside my smartphone (GOS).
Maybe you can check on GrapheneOS forum or official account the grid of Cellbrite hacking capabilities if this is of value to you.

Rather than contemplating which devices or the OSs to use consider compartmentalizing your usage. Designate your laptop/desktop for work and store only work related docs on them. For personal, use your GOS phone.

This simplifies your conundrum of finding a balance between privacy/security needs with the need to simply get work done. So if you have a MacBook then use it for work and only (or mostly) for work. You will need to create separate accounts for each device for this to work since the security of desktop OSs are less secure. For example, an account for a password manager on your laptop that only stores work related logins and a different account on your GOS phone to store personal logins.

That might actually be a solution once they upgrade the lineup. Current generation is just bad in general: bad efficiency, battery, performance, etc. I will buy it with the new release and GOS’s Linux desktop mode support.