Non-physical system compromise, what to do in addition to disk encryption?

Say your threat model includes you being individually targeted.

On a Linux system with full disk encryption (via LUKS), where physical access is improbable and LUKS is using a strong passphrase/yubikey. Shoulder surfing/camera recording are not an issue.

What are risk factors, on a day-to-day Linux system, of files on that machine being compromised?

SSH/PGP key pairs are recommended to have strong passphrases, and storing things such as database passwords in plaintext on an encrypted system is considered not done. Why is this? What are the attack vectors on a system which is encrypted at rest and has little opportunity for physical access when unlocked?

I ask because I am figuring out to which degree I must further secure files on my computer that I wish remain private. The same thing goes for something like a local password manager like KeepassXC or the cli for Bitwarden. The vault itself must be unlocked to be useful, but once unlocked, how does it provide any more protection from the above concerns LUKS does?

Anything in particular I should look out for other than downloading suspect software and phishing attempts?

Can I additionally encrypt personal notes with something like age and decrypt as I start my note taking app? Where does it end?

I think its hard to answer this without more clarification of what type of adversary could be targeting you. For example, if a government agency is targeting you that’s much more difficult then say a stalker and would require different approaches.

Definitely not a government/state actor.

Compare it to being a public figure with access to something a malicious actor knows that figure has access to :p. We all have things we’d rather not see public - what steps can one take other than encrypting the volume at rest?

Even if the threat model didn’t include being targeted individually. Even if all I had to protect was highly personal notes or media. Would those, willy-nillily stored in a ~/Documents folder, not be vulnerable to anything after LUKS decrypt?