i don't think you can call opsec basic, since it requires tons of knowledge about technology and techniques adversaries might deploy against you. targets of attacks don't neccesarily have this kind of knowledge.

opsec is _incredibly_ hard for a person not deeply into technology and this type of information. you might argue that you need to stick with certain tools and techniques that are known good, but new vulnerabilities and techniques implemented against you can completely shatter previous knowledge on whats good and bad opsec and still break it despite doing it 'very well'. (like certain darknet markets being closed down due to new vulnerabilities being found in the platforms they use...)

most people who rely on opsec/tradecraft for a living, also rely on teams of people to help them maintain it and validate it constantly... (or eventually fail and get bitten).

you are right though that its unlikely a company or app producer would have a threat model tuned to people who want to hide stuff. those things generally tend to be closed down sooner or later. (encrochat and such services...)

You are absolutely right, I think it should be basic opsec, but is probably advanced opsec seeing how many folks get tripped up by this stuff.

This means, never using a browser context you have ever logged into any service that is personally identifying. That also means the order in which you load pages. If your ritual is open pintrest followed by slashdot, that is now your finger print.

It isn't just what you do, but how you do it and the ordering between those events. You also don't want to accidentally deanon yourself or your peers, even when everyone is trusted because it also leaks group membership information.

The mental framework for opsec can be modeled as vector calculus and differential geometry. You have to think of the flow of information across a surface and in the integral of that flow. Assume an adversary with perfect total information.