The Crash
Last spring I crashed the front of my car into a guard rail at 70 mph (110 kph). The front end crumpled and somewhere in that mess was the flash drive I was storing my recovery codes on. I still had my phone and my laptop so the actual fallout was manageable. I made new codes and moved on. But I sat with that for a while, because if it had been a worse day, a worse crash, a worse combination of circumstances, it wouldn't have been that clean.
No amount of encryption protected that drive that guard rail.
That was the moment I actually stopped and looked at what I was doing. Not because the crash broke my setup, but because it almost did, in a way I hadn't accounted for. I had been thinking entirely in terms of abstract software and protocols, and almost none of it in terms of the physical world I actually live in."
Digital and Physical
There are actually two axes worth thinking about. The first is your digital exposure, what you put out there, what services you use, what you transmit and to whom. The second is your physical exposure, where your devices actually go, who can get their hands on them, and under what circumstances. A solid threat model has to account for both, because they fail in completely different ways.
When I have flown domestically I fully power down my laptop. A powered down encrypted drive is a fundamentally different thing to hand over than a logged in machine. That's not paranoia, that's just understanding that physical access changes the equation in ways that software can't fully compensate for. I also keep my laptop in my carry-on, so I know where it is at all times. The other thing I got wrong for a while was scope. I was defending against everything vaguely instead of anything specifically.
Security that isn't pointed at something real will expand to fill whatever time and attention you give it, and other things fall behind.
My Threats
What I'm actually defending against sits on two levels. One is semi-random searches and seizures of my physical devices, a scenario where someone or an agency gets their hands on my hardware and I want that to be as unrewarding as possible. The other is dragnet surveillance, not someone coming after me specifically, but being swept up in something I never intended to be part of. Those are different threats and they call for different responses.
For the dragnet concern I use Mullvad VPN with DAITA (Defense Against AI-guided Traffic Analysis) and multi-hop. For device encryption on my laptop I use a long passphrase with full disk encryption. For my notes I use Notesnook, which is end-to-end encrypted but also can be encrypted at rest. At rest I protect it with a passphrase rather than a hardware security key. I could use a security key. It would be more secure. But I'd be reaching for a physical object every time I wanted to write something down, and that friction has a real cost to how I actually use the tool. The threat I'm defending against doesn't require that tradeoff, so I didn't make it.
My Phone
My phone runs GrapheneOS with Google Play services. That is a deliberate step back from what GrapheneOS is capable of. I made it because I need a phone that works, and completely degoogled Android has a real though unfortunate usability cost that my threat model doesn't require me to absorb. The sandbox means Google Play can't see outside its own container, which is a meaningful constraint even if it isn't perfect isolation.
On the same phone I set it to the type-c to "always-on charging-only mode", meaning the data pins are disabled at a hardware level. Unless someone is deploying a high-end exploit, plugging my phone into anything even unlocked transfers power and nothing else. That one costs me nothing. When a security improvement is completely free it's an easy decision.
The Right Security
That's the whole game. Not maximum security. The right security for what you are actually defending against, applied in a way that you'll actually sustain.
I'm not going to tell you what your threat model should be. That's genuinely your call and I'd be doing the same thing as everyone else if I handed you a list of things to be afraid of and then told you what to buy. What I can say is that it's worth being specific. Vague threat models produce over-engineered setups that are exhausting to maintain and still have blind spots sometimes literal ones, sitting in the crushed front end of a car.
The question isn't how secure you can make your digital life but how adaptable. It's what you are actually defending, from what, and whether your setup holds up when the real world shows up uninvited.