0. Searching for (multiple!) generic privacy/safety checklists (like 2FA, separate passwords/e-mails/token phones, offline password managers, HTTPS and checking the domain names for phishing, updating your software) is fine too! Also, remember that sometimes you might stand out more trying to hide something rather than just blending in with the rest, especially if the group is large enough.
1. Apply the principle of least privilege to everything - rethink if it's necessary to livetweet (esp. in public spaces) or share your location (esp. in NONpublic spaces). Not everyone on Facebook has to know you're attending a protest. Maybe you only need a Nokia 3310 as your 2nd phone for receiving 2FA token texts. Maybe something that's acceptable today will be forbidden tommorow, maybe your friend needs help with substance abuse - the last place to store this stuff on is Facebook servers.
2. Use open source and non-oligopolistic software, hardware and websites whenever possible (e. g. Shotcut and Dropbox instead of Adobe Premiere and Google Drive). Many of the programs that started displaying ads have their FOSS and/or self-hostable counterparts as well. Also, try to find out how much could be learned from your accounts on those bigger sites. Sometimes, blocking someone doesn't prevent them for getting your unique user ID, etc. Server shutdowns are a non-issue if you rely on your own storage instead of the cloud.
Browser recommendation: uBlock Origin with either Waterfox or ungoogled-chromium. Don't use Brave.
3. The dreaded profiling and even partially defamation/blackmailing could be rendered virtually useless if there's nothing to correlate or no way to prove the correlation. It's only bad to leak that you're fckrrr99 on a shady site if there's another "you" to connect it to. If you're either transparent or completely anonymous about who you are with all of your personas, then correlating them doesn't matter. Profiling is useless if you lie to the algorithms a lot, by firewalling software that should stay offline, resetting your Google Ads ID, using a lot of different stuff in an inconsistent manner, lying on surveys, using anti-tracking extensions etc. (but please don't give your home address away for no reason and don't save your credit card details anyway)
* However, please keep in mind that your usage patterns and browser footprint are probably even more traitorous than your IP address nowadays.
4. An allowlist-based firewall and scanning everything from unknown sources on VirusTotal BEFORE RUNNING IT has served me better than any actual antivirus.
5. Do back-ups every period of your time you're willing to lose (even if you don't work on your device, you definitely store the photos that you took or other kind of personal data that nobody else has). If the answer is "whatever" then that's on you when (not "if") something breaks. And remember - there is no "cloud", it's just someone else's computer.
6. The saying "I'm not afraid because I have nothing to hide" doesn't make sense. Even if you don't think your accounts are that important - maybe the friend you messaged does, maybe your current views will be controversial later, maybe your password is similar enough to the one you use for a more important account (it shouldn't be!), maybe someone could deduce more than you imagined (as mentioned in #1). Same goes for encryption. Also, often, you're only as safe as your least safe friend.
7. Some of my favorite QoL etc. extensions are uBlock Origin, Blue Blocker, Control Panel for Twitter, and Unhook.
8. https://xkcd.com/936/
9. If you DO get hacked...
-haveibeenpwned.com is legit
-re-read #0
-change all of your passwords similar to the compromised one to different ones and never do that again
-same goes for enabling 2FA (preferably anything other than text messages)
-think if there were any recovery e-mails or anything else that could've helped to get access to your accounts and take care of those too
-if possible, let your friends know by different means so they won't click on any links your account may be sending now (also, if possible, ask them to revoke any admin permissions you might have i.e. on Discord servers or whatever)
-remove those credit card and address details as you have no way of telling if this will happen again
-do everything you can to make sure there's no malware on your internet connected devices
BONUS: If a low voltage device that has declined in value breaks (or something is only partially broken, like lowered WiFi signal), try searching online for help with the problem - it's always worth trying if you'd trash it otherwise anyway! Nowadays, the tutorials are very good and easy to find. Some of my favorite free resources:
-Electrodoc, iFixit, Electric Druid (electronics/DIY)
-GBATemp, BennVenn's blog, copetti.org, RetroRGB, and hacks dot guide (game consoles/handhelds)
-XDA Developers (smartphones etc.)
-StackOverflow (software development help)
-web.dev (website creation compendium)
-freeCodeCamp, W3Schools, edX, Udacity, Alex Devero Blog, scrimba, GeeksForGeeks, Learn X in Y minutes, QuickRef.ME, Science Books Online, missing.csail.mit.edu (CS courses/books)
-books by Tom Ang, Michael Langford and Richard Schneider, the Pics of Asia website, as well as Jessica Kobeissi, Anita Sadowska, Pat Kay and Wolf Amri on YouTube (photography)
*bonus - Now You See It on YouTube which is technically mostly about cinematography, but a lot of the tips also apply to photography
-specific platform subreddits and YouTube tutorials
If you already donated to human rights funds of your choice and still want to help someone, you can donate to me by paying whatever you want at my Bandcamp page. Thank you in advance and good luck!