I use a cheap but private VPN service, with encryption and (allegedly) no IP logging reading the ToS.

I do not use wifi, that is insecure. My wifi chip in my computer (along with the bluetooth chip and camera) have been physically removed. Linux of-course.

I use Mozilla Firefox for the most part, sometimes Tor too.

One thing I do is make sure I manually program Bleachbit to scrub sqlite files in my browser directory routinely. Logs, caches, cookies etc: content-prefs.sqlite, cookies.sqlite, formhistory.sqlite, healthreport.sqlite, places.sqlite, signons.sqlite, webappsstore.sqlite (and their associated file formats) from my browser directory. Tor too stores these same kinds of databases, so any browser you use you'll want to learn what is in those directories and what they store.

Then, I also use Random Agent Spoofer to spoof my browser agent (spoofing metadata about what OS I use, what kind of browser it is, headers, get requests, etc.) and also allows me to disable webgl and geolocation in chrome.

I also use noscript and HTTPS Everywhere. Scrub noscript whitelist and reconfigure the list to your liking, whatever suites your browsing habits.

Go to about:config and learn how to use it, but be careful!!! There are some tweaks you can use to fortify and secure your browser, and to make it stop bragging about data.