Outside the Internet, when we are on the streets, someone is always watching us. Inside internet, is the same. Inside home, can be possible, and even if no one is watching, we feel that someone is. With this paranoia we live in a world, where each imagine how much people would be watching them, to judge them and punish them. (is what humanity did best in history)
So, we start installing our Operating System in our old or new hardware, while the new hardware already have mechanisms that are made to spy us, we can use the old to prevent that to happen. But the old hardware have some other issues too, and the perfect computer is offline and crashed with a hammer several times, until only small pieces of the hardware exist. So, since that will destroy our computeres, being new or old, we continue in risk. Some people make Operating Systems installations offline, and some others, online. I really prefer to make them offline and put them online only when needed. For example, Microsoft Windows is the best operating System in the world, when is offline. I can play games ( offline ) and no hacker will hack me. I am sure the hacker could hack me, but the machine is offline and all my private things are not there... while they could. People encrypt their hard drive, but if the hard-drive is online, encryption is useless, or else, all files are encrypted and that lead us to another problem, which ask us to encrypt each file with different passwords. If you have 100 files you need to memorize 100 passwords. But computers have thousen of files, and if you encrypt them, the OS, will not work. Always use some dedicated Firewall between your ISP router and your machines. With that, you can monitor your traffic and block all the sites and services that are sensible, since by default, all ISP routers, share Windows Documents with Samba. I Like Samba, but only when is that Brasilian Music Style to dance, not the Linux service to share Windows Filesystems. I really "hate" that default configurations from all ISP routers that are active by default, but since I cannot process them in court, at laest I can desactivate those services. From IPSense(BSD) to IPCop(Linux), Suricata(softwre) and Snort(software), whatever service you are using to monitor your network traffic, you should learn something more, like TCPDump(software).
Test for your self. Go into your ISP router and setup a exposed machine in your network, or setup a bridge. What ever your choice is, you will be targeted of random attacks from the very first minute you are using this machine. So, when you are installing a OS being online, the risks of being hacked without knowing, is really big!!!
Always setup a Firewall, with PF(BSD) or IPTables(Linux), but set it up! Don't trust Microsoft, because they don't trust you too.
Zero Trust is the Cloudflare Service that defend your computer from external attacks, while exposing it into the internet.
Use Fail2ban to ban all IPs who try to attack you with "-1" value (for all eternity)
Is not fair? Well, that is a religious problem, since the Good block the Bad ( who deny his will ) for all eternity, like poeple do.
Maybe is not a religion problem, but human, while in some cases is the best choice.