Browser setups to stay safe from malware and unwanted stuff
First of all, good job on choosing Firefox and the right plugins, it's really the browser to go privacywise.
To extend upon the points that nobody mentioned yet, an important part of you hardening your browser would be the configuration of your Firefox browser! You can do that by typing about:config into the address bar and accepting the risks. Then you search for the specific string I specify in this answer. I will draw a line where the security completely destroys functionality (judging from my experience, since I myself use this setup). First off, you're better off disabling WebGL: Motivation
webgl.disabled = true
Disabling WebRTC will prevent from getting your IP leaked behind VPNs (yes, NoScript SHOULD protect you but you can never be too safe):
media.peerconnection.turn.disable = true
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.identity.timeout = 1
You're better off disabling third-party cookies:
network.cookie.cookieBehavior = 1 (Only accept from the originating site (block third-party cookies))
Never store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data:
browser.sessionstore.privacy_level = 2
Activate integrated privacy measures:
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.cryptomining.enabled = true (disables cryptomining on piratebay)
browser.send_pings = false
browser.sessionstore.max_tabs_undo = 0 (Firefox doesn't remember your recent closed tabs anymore)
browser.urlbar.speculativeConnect.enabled = false (disable preloading of autocomplete URLs)
media.navigator.enabled = false
This enables the integrated privacy guard (uses mostly Disconnect.me filters, also breaks Captchas, but you can disable it for certain sites, since it will be like 1% of your total surfing):
privacy.trackingprotection.enabled = true
Disable the DOM Clipboard Event:
dom.event.clipboardevents.enabled = false
Protect yourself against punycode phishing attacks:
network.IDN_show_punycode = true
Disable WebAssembly:
javascript.options.wasm = false
In the normal browser settings you can also disable Pocket, erase history, cache, cookies upon exiting Firefox. That should be more than enough.
DANGER ZONE
- disables playback of DRM-controlled HTML5 content, which, if enabled, automatically downloads the Widevine Content Decryption Module provided by Google Inc. This will break Netflix et al.!
media.eme.enabled = false
media.gmp-widevinecdm.enabled = false
- Send Referer only when the full hostnames match:
network.http.referer.XOriginPolicy = 2
- Only send scheme, host, and port in Referer:
network.http.referer.XOriginTrimmingPolicy = 2
If you're near-paranoid you can even disable Referer:
network.http.sendRefererHeader = 0
If you need even more privacy check this out.
You can also blacklist hosts if you haven't already so other apps don't have such a huge attack surface.
There is also a plugin called LibreJS which blocks proprietary, non-trivial and obfuscated JavaScript code.
Also setting the locale to en-US in your browser is a good approach to privacy.
As you correctly point out, there is no 100% guarantee that you cannot be infected by malware through a browser.
I think it would be best to adhere to a multilayered strategy here. How deep you go of course depends on your security and other requirements.
The first layer is to be mindful of the websites you visit. If you limit yourself to a few very well known sites that have been bookmarked this severely limits your exposure.
Second layer is to always stay current on security updates, not only for your browser but also for the operating system. Malware is usually dependent on some sort of misconfiguration or known security vulnerability. The second one and sometimes the first one can be solved by keeping current on updates.
Third layer would be the tools that you mentioned. I am not going to discuss them separately, since there are already good pointers in the comments. Keep in mind, however, that every additional tool that you use might also be a security risk in itself for various reasons.
Fourth layer is to separate the environment in which your browser is running from your other (important) data. This can be done by using a virtual machine or even a physically different host. This, however, is some work because you would have another operating system to configure and maintain.
The order of layers can be argued about, but you get the picture.