1) I've been running my own email server on a VPS hosted by OVH since 2015 (dovecot+postfix). I also have a number of other email accounts. All of the remote email gets moved and aggregated to a dovecot/IMAP server at home which I can access from anywhere via dynamic DNS.

2) I use Firefox and sometimes the Tor Browser for the web. uBlock Origin and NoScript. I whitelist only JavaScript from trusted sites and only what is necessary to view/interact with the content. It's a bit cumbersome at first but after a while it gets to be routine.

3) I run a PC Engines apu2 [0] as my main router at home and it runs OpenBSD with the pf firewall and unbound for DNS. I maintain a blocklist/blacklist that is likely functionally equivalent to Pi-hole [1].

4) I keep offline backups with a drive in a safe at home and another offsite that I sneaker-net to my parents house.

[0] https://pcengines.ch/ [1] https://pi-hole.net/

Then there's the usual stuff: duckduckgo for search, ditch chrome for something like Mozilla, etc. You could use Tor or a private VPN, but that might be overkill and probably not as secure as many think.

* create throwaway accounts as necessary with no PII

* use a VPN on any networks I do not have insight into or control over the infrastructure.

* use a password manager. Have previous used Lastpass, currently use 1Password.

* Back up the data from the password manager on some frequency. I export my vaults from 1Password approximately every quarter, encrypt the results, and store that on an offline drive I have.

* Do almost all browsing in Firefox configured to erase all cookies and other site data every time it's closed. Yes, this is a pain in the ass.

* 2FA everything. Disable 2FA over SMS when possible.

* My "recovery" email is a paid service I use for nothing else. I don't send mail from it. I don't use it as the primary email on any accounts. It has 2FA. It does not have an address book. Delete any recovery emails sent after use, there's no archive of mail.

* For all financial accounts, the account email (e.g. ykdxq@example.com) is an alias to an email account. The email account is only used for financial services. The login username is a 32 byte sha1 hash from /dev/random piped through base64. The password is 64 bytes, stored in my password manager. The account has 2FA. If you have the account email and even (somehow) the password you cannot log in as it's not the login for the account.

* I will not use a financial service that does not provide some level of non–SMS 2FA.

* My primary email address is a paid G Suite account. It has 2FA set up in multiple ways. I use it for all email and most non–financial online accounts. I keep two years' email in it, periodically manually archiving email to mbox format and then deleting it (I do not use Google's data retention policies).

* My public cell phone number isn't tied to a physical phone. I do not use it for 2FA. When I need a number for 2FA I use a non-public cell phone number I do not use for anything else. I am still susceptible to sim-swapping and am still looking for a better solution here.

* I keep the text string of every TOTP QR code in an encrypted disk image. The default state of the image is locked, I have to unlock it whenever I want to store or retrieve data from it.

* I keep multiple encrypted backups of everything of value. Some are stored in the cloud, others on drives.

* I keep encrypted backups of all critical data (e.g. 1Password exports) on encrypted USB keys.

I used to think that having an S/MIME and/or PGP key would be the key thing and, well, I've never once really had to use either.