Keep critical machines air-gapped. I don't know about the really new machines cause who knows, there could be built in Wireless/4g/5g/satellite networking of some sort, but with older machines as long as it's not connected to any physical network I'd imagine you'd be pretty safe (until someone else gets physical access to the machine of course).
Another point I just thought of though, from reading your post. I wonder if it'd be a good idea to pick up some fairly old hardware, maybe 2005 or 2000 or before. It'd be slow as shit, and couldn't run code from the newer platforms, but for a non-networked machine for basic stuff you'd probably be pretty safe.
My point of mentioning older hardware vs newer hardware on air-gapped systems greatly depends on how paranoid someone may be. For example we had the supermicro weirdness a while back, talks of chips implanted in motherboards. I'm pretty sure in that scenario the chips were implanted on the network stack, so the motherboard would have to be physically wired for them to have any effect. What we don't know is if there were any similar chips ever implanted that instead rely on local wireless or cellular based networks. That way even if a machine is airgapped as in not connected to wired network, an attacker theoretically could connect as long as the machine is located within range of a cell tower. Old hardware would then protect against the mere theoretical possibility of this, as we didn't have these types of networks back then (depending on how old).
It is true that for the average person a machine like this would provide little use, as most people rely on online data. However if someone had a ton of offline data, a machine like this could still be used to analyze it. I could think of some scenarios where something like this would be useful, but as you stated, this is only justifiable for the most paranoid.
Get a firewall and learn to write policies.
Keep critical machines air-gapped. I don't know about the really new machines cause who knows, there could be built in Wireless/4g/5g/satellite networking of some sort, but with older machines as long as it's not connected to any physical network I'd imagine you'd be pretty safe (until someone else gets physical access to the machine of course).
Another point I just thought of though, from reading your post. I wonder if it'd be a good idea to pick up some fairly old hardware, maybe 2005 or 2000 or before. It'd be slow as shit, and couldn't run code from the newer platforms, but for a non-networked machine for basic stuff you'd probably be pretty safe.
My point of mentioning older hardware vs newer hardware on air-gapped systems greatly depends on how paranoid someone may be. For example we had the supermicro weirdness a while back, talks of chips implanted in motherboards. I'm pretty sure in that scenario the chips were implanted on the network stack, so the motherboard would have to be physically wired for them to have any effect. What we don't know is if there were any similar chips ever implanted that instead rely on local wireless or cellular based networks. That way even if a machine is airgapped as in not connected to wired network, an attacker theoretically could connect as long as the machine is located within range of a cell tower. Old hardware would then protect against the mere theoretical possibility of this, as we didn't have these types of networks back then (depending on how old).
It is true that for the average person a machine like this would provide little use, as most people rely on online data. However if someone had a ton of offline data, a machine like this could still be used to analyze it. I could think of some scenarios where something like this would be useful, but as you stated, this is only justifiable for the most paranoid.