On Linux (Ubuntu) I had just installed Chrony and entered server time.cloudflare.com nts to /etc/chrony/chrony.conf
This forces system to ask time via NTS (TLS) so nobody can intercept or spoof it.
So I think it will be good to add extended guide about this situations.
Regarding NTS servers, here what i found:
time.cloudflare.com
ptbtime1.ptb.de
nts.netnod.se
Plain NTP have plenty of issues and concerns. Detailed articles here, here and here
And even if it is not your threat model, there can always be someone with even higher threat models