You have asked the most important question in this topic. Privacy and security only have meaning when you develop a threat model or encounter a threat. With digital security it is usually pretty straightforward in that you don't want anyone else controlling your computer or phone and using it for their own ends. And a lapse in digital security can ruin attempts to secure privacy.
Privacy is where threat models should be developed so that you (1) don't waste time worrying about and working around nonexistent threats and (2) can think holistically about a given threat and not believe in a false means of privacy.
For example, if you are of a marginalized community, closeted, and in a very unsafe living situation, your main threat model might be getting doxxed and outed. To prevent this you should ensure that there is zero to no information that would link your real identity to an online identity and you should roll accounts to ensure small slipups can't be correlated. VPNs probably don't help in this threat model but they don't hurt either. A private browser does nothing in this situation. Securing your phone and not leaving it unlocked anywhere is good for this situation (sometimes privacy isn't really about tech but behavior). Using strong passwords that can't be guessed helps with this situation. Making a plan to move to a safe living situation so you can be out will resolve the threat entirely, though it may mean needing to think about new ones.
Notice that the government was not in this threat model and that it was more about violence towards the marginalized. Cis white guy techbros generally have nothing to worry about re: infosec and are just being enthusiasts or LARPers. Nobody is showing up at their house with a gun and the feds are not going to arrest you for having the most "centrist" political takes and actions available. The people that need to project themselves are those facing overt targeted marginslization or who take political action that the government wants to, or would eventually want to, suppress. For example, the US government labelled anti-apartheid groups as terrorist organizations and intimidated or jailed those they could identify. It has a habit of doing this to any advocacy groups that gain steam and actually pose a political threat to their opponents.
Even if you don't have a threat model, though, having good digital hygiene is useful in case one develops in the future. You may currently do political work that seems safe, and it is because it is not perceived as a threat. Let's say you help organize unions. But there have been times where organizing unions would mean you're targeted by the government and hired thugs and those times can easily return. If they have compiled a database of likely union sympathizers, will your name be in there? Maybe that's a risk that you just take. But maybe you should use good privacy practices so that you can go underground when needed.
The latter applies to the threatless cis white techbro "centrists". Such an individually may someday change politically or in their gender identity and having good practices would then pay off.
Hi! Although your post is full of reasonable advice on maintaining privacy online I want to challenge you on the statement that the threat model matters. The contrapositive of the statement "I don't need privacy if I have nothing to hide" is "I have something to hide, if I need privacy". This puts those marginalized groups you mentioned in a position where simply by using a privacy tool or technique, they draw suspicion to themselves. It might immediately raise subconscious alarms in internet communities like facebook, where the expectation is that you use your real name.
The only way privacy measures work for anyone, is if they're implemented for everyone.
Further, I'd like to challenge the concept that a cis white tech bro has nothing to hide. There's a big invisible "for now" at the end of that statement. The internet, mostly, never forgets. We've had waves of comedians get "cancelled" over tweets they made years ago. Times change, people grow, laws regress. Posting statements about abortions is as of this year, suddenly unsafe. Maybe posting about neurodivergence comes next. Who knows with the way the world is going, maybe 5 years from now you'll regret having posts on /c/atheism associated with you.
I think a good way to be considerate of privacy is to think in terms of identities, what those identities are for, and what links those identities. Does your identity on github need make comments about your political leanings? Should your resume have a link to your github? Does your identity on etsy need to have a link to your onlyfans? Does your dating profile need a link to your reddit account? Your "2nd" reddit account? Not all of these are clear yes or no answers, they're just things to consider and make decisions about. Also, consider what class identities you only have one of, and what class of identities are for the most part unchangeable, e.g. attaching your phone number to two separate identities functionally links them.
The contrapositive of the statement "I don't need privacy if I have nothing to hide" is "I have something to hide, if I need privacy".
I said neither. I said that the marginalized have relevant threat models and, at least in the state they are currently in, cis white techbros generally do not and treat privacy as a hobby, failing to develop realistic threat models. This doesn't translate into either of those sentiments.
This puts those marginalized groups you mentioned in a position where simply by using a privacy tool or technique, they draw suspicion to themselves.
That really depends on the specifics of the technique and if your threat model is the entities that could draw those conclusions, namely a government, they will tend to do that regardless. For those threat models you should really be shedding digital communication entirely and making a plan to leave.
But sure, something like having a ton of boring and diverse traffic in a VPN is useful for making them a privacy tool at all.
It might immediately raise subconscious alarms in internet communities like facebook, where the expectation is that you use your real name.
Alarms among who and what are the threats? This means nothing without a threat model.
The only way privacy measures work for anyone, is if they're implemented for everyone.
This is simply false. For example, not everyone needs to meet in-person just for that to be an option for staying private. So long as you have a means to avoid leaking certain information to certain people, you can meet the needs of a threat model.
Further, I'd like to challenge the concept that a cis white tech bro has nothing to hide.
Not what I said.
I think a good way to be considerate of privacy is to think in terms of identities, what those identities are for, and what links those identities.
The only meaningful way to think about it is in terms of threat models. Identities are an aspect of engaging in certain online activities, they only have meaning relative to a threat model. I agree that it is a good idea to keep employers out of your political activity by not tying them together but that is because we live under capitalism where your employer can remove your means to provide for itself whenever it wants. The threat model is ubiquitous, just differing slightly in its form (delays, the need for lawyers, etc). There are of course more threat models re: political activity.
The risk of not considering threat models and instead adopting broad brush practices is that you can fail to adequately weigh threats or get a false sense of security.