I have a Glinet[0] router that has Tor functionality and 'torifies' your connection, so even if there's some JS 0day that executes trying to decloak me, the adversary just gets a Tor IP instead of my home connection IP.
Note: I connect to Tor from my torified Glinet router which is doing Tor-over-Tor which is considered 'dangerous'[1] but I do it anyway.
This might be overkill for most, and I'm not doing anything illegal (I mostly browse clearnet sites instead of hidden services anyways).
If you read through the 10 year old presentation linked[0] you'll see they have ways to break just running over Tor. You really need to be running Tor on the machine, possibly via a VPN (like Mullvad or VPS+Wireguard/SSH), and either using Tor Browser, Whonix/Tails, or QubesOS.
My (updated) understanding is that running all things via Tor is slow without as much benefit as just a normal VPN and that if anything you use throw away VMs or Tor Browser sessions to avoid any way to correlate. Also note that a well known attack is simply knowing a connection is currently happening (preferably a long-running one) and cutting off the internet in suspected areas until the connection drops. So I guess either you need to avoid long running connections (I think you could do this in the local firewall?) or have redundant network connections like Dual ISP or ISP + LTE on something like Opnsense (cause wow, is it difficult to do this on Linux. I intend to blog about it someday soon).
Note: I connect to Tor from my torified Glinet router which is doing Tor-over-Tor which is considered 'dangerous'[1] but I do it anyway.
This might be overkill for most, and I'm not doing anything illegal (I mostly browse clearnet sites instead of hidden services anyways).
[0] https://www.gl-inet.com/
[1] https://tor.stackexchange.com/questions/427/is-running-tor-o...