Check out Fortress Linux, possibly using a version of xombrero, not sure https://www.fortresslinux.org/
Myself I was planning to use a separate login for web browser, streaming audio visual, etc, alongside an offline desktop for work on documents but with ports open to read and send e-mail, access a ssh account, etc. - a 'disaster rocovery' approach; plan on minimizing the damage and recovering as quickly as possible following a breach. I guess I should also make more use of profiles to separate misc. surfing from web accounts. In the past code injection has essentially rendered unencryypted Internet useless for myself. Encryption wise OpenVPN has not proved reliable, nor L2TP for some odd reason, though things may have changed with the recent SSL fixes (I'll give them another go at some point). However ssh running as a socks server seems to work fine, firefox will also resolve DNS calls over the socks connection (privoxy and polipo can be used to set up a socks forwarding http proxy for other applications and which usually will resolve DNS over the proxy also). Having used xombrero for a while I tend to configure firefox as similar as possible. NoScript usually only allowing scripts called from the web page itself (i.e., click 'allow' once and no more), AdBlock with all filtering options enabled, disable disk and memory cache, DNS and page prefetch, spoof the browser ID, I don't use this addon bit it gives a good idea of the setting that can be used to render firefox anonymous https://github.com/dillbyrne/random-agent-spoofer/ HTTPS Everywhere https://www.eff.org/https-everywhere Type about:support into the address bar to get an overview of what setting are set, etc. also eff.org's https://panopticlick.eff.org/ None of the above is any use unless the install is relatively untainted security wise, I run a very tight firewall also (but not yet got round to setting up the monitoring end of things yet), this I'm sure has helped in the past. I have learnt DNS servers are not reliable also - prefereably encrypt DNS, if not then use a server that advertises enhanced security as a feature. The net result, I only experience data injection occasionally nowadays (though obviously I cannot be 100% sure), more of a problem seems to confidentiality. As to the future, EMF issue, how secure are FreeBSD jails?, DNSSEC?, port the lot to Fedora, review of current authentication options in addition to password strategy - https://www.yubico.com/2014/11/neo-supports-u2f-otp-key-time/ looks interesting, etc.
