I think you might be making the common mistake of trying to implement “countermeasures” before assessing your threat model. Security is a highly individual process. You need to identify, in order:
- What you are trying to protect
- Who you are protecting it from
- How you might be attacked by those people (how are you vulnerable)
- What do you have to lose (what is your potential risk)
- What you should do to prevent that from happening
This is not a process that you do once. It is not something on a scale from high to low. This is a series of questions you ask yourself every time you do anything. If you sign up for a new website, you follow this process. If you want to sync your browser data to your phone, you follow this process. If you want to sell some art online, you follow this process, etc.
When you just skip to step 5 and do everything “just to be safe,” you end up:
- being reliant on forums and other sites to tell you what to do
- spending time/energy/money on security measures which have no benefit, for a threat which probably won’t even impact you
- potentially increasing your attack surface by using tools you’d otherwise have no reason to use in the first place
I know it is not fun advice, because we would all rather check off a list and call ourselves secure, but everyone’s goal should really just be to make this opsec process something that’s second nature to them. You practice brainstorming and identifying potential threats before everything you do, and it becomes instinctual.
When we talk about threat modeling, the goal is not to come up with a list of things to do. Using the thought process behind threat modeling is the goal on its own, that’s what’s important if you want to protect yourself.