Say your threat model includes you being individually targeted.
On a Linux system with full disk encryption (via LUKS), where physical access is improbable and LUKS is using a strong passphrase/yubikey. Shoulder surfing/camera recording are not an issue.
What are risk factors, on a day-to-day Linux system, of files on that machine being compromised?
SSH/PGP key pairs are recommended to have strong passphrases, and storing things such as database passwords in plaintext on an encrypted system is considered not done. Why is this? What are the attack vectors on a system which is encrypted at rest and has little opportunity for physical access when unlocked?
I ask because I am figuring out to which degree I must further secure files on my computer that I wish remain private. The same thing goes for something like a local password manager like KeepassXC or the cli for Bitwarden. The vault itself must be unlocked to be useful, but once unlocked, how does it provide any more protection from the above concerns LUKS does?
Anything in particular I should look out for other than downloading suspect software and phishing attempts?
Can I additionally encrypt personal notes with something like age and decrypt as I start my note taking app? Where does it end?