On desktop, use a recent Windows Secured-Core PC, MacBook or Chromebook. These all have numerous security advantages, including
proper verified boot, a strict IOMMU, etc.
Mobile phone hardware is covered in the mobile operating system section.
The desktop security model is very broken. It was not designed with security
in mind — security was only a poorly implemented afterthought. However, there are some operating systems that are less bad
in this regard. If you can, stay away from desktop and stick to mobile devices.
Use Windows 11 (preferably in S mode and on a Secured-Core PC), macOS, ChromeOS or QubesOS. Generally, these operating systems have made substantial progress on adopting modern exploit mitigations, verified boot, sandboxing, memory safe languages and so on.
There are advantages and disadvantages between these options, and it is not possible to give an accurate recommendation as to which of these will suit any particular person. One must develop their own threat model and choose the suitable operating system in accordance. For example, Windows 10 has great exploit mitigations, such as its coarse-grained, forward-edge CFI implementation, Control Flow Guard, whereas macOS has full verified boot to eliminate malware persistence.
Some of these operating systems do have some privacy invasive telemetry, but it can usually be disabled in the settings and verified with a network analyser tool like Wireshark if you wish to be certain.
The security of QubesOS depends entirely on how you use it. The security within the virtual machines matter a lot — don't neglect it. Make sure that you use secure guest operating systems and split everything between as many virtual machines as possible. Virtualisation can be a very strong security boundary, but it is not magic. I'd recommend reading Brad Spengler's criticisms of QubesOS to understand some of its limitations.
Do not use Linux (QubesOS is not a Linux distribution).
Mobile operating systems were designed with security as a foundational component. They were built with sandboxing, verified boot,
modern exploit mitigations and more from the start. As such, they are far more locked down than other platforms and significantly
more resistant to attacks.
Use either the stock operating system or preferably, GrapheneOS on a Pixel ≥4. Do not root your device, do not keep your bootloader unlocked and stay away from alternative operating systems like LineageOS, as they substantially worsen the security model. Read the Android article for more details.
Alternatively, use an up-to-date iPhone, which is comparable to GrapheneOS on a Pixel, and do not jailbreak your device.
Stay away from Linux phones.
For security, use Chromium. Avoid Firefox or browsers based on it, as they are currently very
lacking in security. Microsoft Edge is a better choice for Windows users, as it can utilise
Microsoft Defender Application Guard (MDAG) and has an
enhanced security mode
in which JIT is disabled and mitigations such as ACG, CIG, CFG and CET are all enabled in the renderer process.
For privacy, use the Tor Browser, and consider using the security slider. Do not assume that "hardening" Firefox or other browsers will make it private; it won't. Be aware that this has massively reduced security from other options, as mentioned above.
For a mixture of security and privacy, use Vanadium, Bromite or Brave, although none of these are as good as the Tor Browser when it comes to privacy.
Use Signal, preferably with a burner or VoIP number.
If you can, stay away from email, as it is a fundamentally
insecure protocol, but if you must use it, use a reputable email provider with a strong focus on security, such as
ProtonMail or Tutanota.
Store passwords in a good password manager — KeePass or Bitwarden is recommended. Generate 20+ character passwords containing a completely random assortment of upper and lowercase letters, numbers and symbols. Use a different password on each website, and enable two-factor authentication (2FA) for every website. Do not use SMS for 2FA, as it is vulnerable to simjacking and man-in-the-middle attacks. Use an authenticator app like Aegis.
https://part of the URL when visting a website to prevent sslstrip attacks. Make sure that the padlock icon is displayed in the address bar. Enable HTTPS-only mode in your browser.