I think this is the most important thing you wrote. I used to do network security for a small scientific government network back in the 1990s, and I constantly ran into the problem that there is an inverse relationship between security and usability. The scientists on my network were constantly finding ways of going around whatever security measures I put in place precisely because they didn't want to deal with the "hassle."
But I'm no different, really. Not too many years ago, I routinely disabled SELinux when I installed a new OS simply because I considered it too much of a hassle to learn how to use it effectively. It made it difficult for me to do stuff. Everybody yelled at me, but it just wasn't worth the effort to me. Now, I've learned it a bit and it's not such a hassle.
There's this balance between the inconvenience/damage associated with an intrusion versus the inconvenience associated with the security configuration. For me on the computer I'm using as I write this, it wouldn't be the end of the world if *everything* on my computer were owned by someone else. It would be a hassle, but not fatal -- I have insurance, etc. for the financial information I have here, and I don't really care if someone sees the email conversations I have on this machine.
So, considering the financial stuff, for instance. There's a hassle with someone getting my credit card information. It's happened (though not because of a computer glitch). My card gets frozen, I can't use it for a week or two, I have to make a bunch of phone calls, etc. But I'm financially protected and eventually I'll be fine. The problem is the hassle factor, not financial ruin. My biggest security concern is someone using up all my bandwidth; I live in a rural area and have metered service. Someone using up 5 gigs of bandwith is more concerning to me than them owning 5 gigs of data from my machine. So, I have to ask myself, which is more hassle -- dealing with the intrusion, or dealing with the security hassle?
It's my responsibility to determine where that balance is, and nobody else's. And it's likely different for everybody. For instance, I used to have a blog, but I'm a litigation consultant and I started seeing my blog posts turning up in court. So I don't blog any more. I can't be on Facebook, or LinkedIn, or Doximity, or ResearchGate. That's not a problem for me, but it would drive my wife crazy. I use one laptop for some stuff, and I use a different laptop, differently configured, for other stuff.
And, the higher up the food chain you go with respect to people interested in surveilling you, the less chance you have of keeping them out. I'm out of the business now, but back in the day I occasionally did some classified work. I remember some years ago, I called a friend of mine who worked for the government. I called him using the work phone of an acquaintance to ask him a technical question. He picked up the phone and immediately said "Hey, Bill, how you doing?"
I was stunned. I asked him how the hell he knew it was me. He said "Bill, I'm with the <government agency>. We always know where you are."
I have another friend who spent his early career working for a government contractor. His job was to break into people's houses at night and install keyloggers on their computers. With a subpoena, of course. All the security software in the world won't help you with that.
The key, for me, is to achieve the maximum security that I can achieve and stay below my maximum hassle tolerance. Qubes is nice because it adds a big uptick in transparent security with only a small uptick in hassle -- at least for someone who is fairly conversant with sysadmin stuff. So for me it's a big win. But it's not all there is.
There's no such thing as perfect security. There's only finding the balance between one's perceived risk, one's actual vulnerability, and one's tolerance for hassle. And any security configuration is self-defeating if:
1) People take it for granted and think that it's all they have to think about, and/or
2) It's enough of a hassle that you start going around it to do your work.
Your summary is incorrect, and you do my a disservice by misstating what I wrote and then arguing against your misstatements.
I did not say "I don't have anything to hide." What I wrote, if you reread it carefully, is that I modulate my security demands according to the balance of useability and security. You will note that I said that I use multiple computers, each with different security configurations. The stuff I "have to hide" I put on a different computer than this one.
It may be your choice to put all your eggs in one basket. I do not. That doesn't mean my position is that "I don't have anything to hide." What I do is I recognize that any outward facing box is a threat. Any outward facing box that you use to surf the web, try out new software, and generally play around with is a greater threat. What I wrote was that I don't put my crown jewels on the box that it likely to get compromised. That is *very* different that saying "I don't have anything to hide" or "I don't need security."
So you don't need to lecture me on whether or not I need security. You need to realize that all threats are not the same, and all security requirements for all places are not the same. That's why security is different when you enter your average grocery store vs your average courthouse vs your average military base vs the FBI headquarters vs Langley. And my security requirements are different for this machine than they are for the machine, for instance, that I keep medical or legal information on, or my Android phone. I don't do things using my smartphone that I don't want someone surveilling. It's not that "I don't have anything to hide, so why bother." It's "I know there's nothing I can do to make it secure, so I won't do things on it that I don't want surveilled."
And I'm not "blaming" anybody. What I'm saying is that ultimately every person has responsibility for their own security. And if you don't believe that, you will never *have* good security, because you will always be standing in the ashes of your privacy complaining that someone else didn't take care of it for you.