Another potential point of information leakage is OpenID. If you sign into any web sites with [Facebook, Google, mSoft, Amazon, etc.], the OAuth server authenticating you has a interaction with that site, and easily could record it.

Yes, it's pretty straightforward to run your own OAuth server, but then what websites accept its authentications? I've gone back to individual passwords, using a pw manager. BitWarden makes this fairly painless.

Anyone know of a generally accepted OWA server based in a GDPR country?

Also, no mention of DuckDuckGo as a way to anonymize search engine access?