Use a 2fa authenticator app, Raivo if you are on iOS, Aegis if you are on Android. They both allow you to create backups of the tokens. And then also keep a safe backup of the recovery codes that are given to you after you complete the 2fa.
It’s better to be locked out of your password manager and just reset your password for all your accounts, than to have every single one of your accounts get hacked and possibly NEVER get them back.
I would heavily recommend that you don’t put all your eggs in the same basket ESPECIALLY when it comes to a password manager. If youre going to use Proton Pass, make a separare email for that.
To answer the next question, yes you do bother with 2FA ESPECIALLY for a password manager. I mean, you are literally storing like 30 or however many passwords, pretty much your entire digital life there. Do you think it is a good idea to have only one form of verification, one that can be easily cracked through a data breach, to hold all of your passwords? There is a reason why services like banks force you into 2FA when it comes to online banking. And you won’t have to worry about locking yourself out as long as you backup your 2FA tokens, and also keep a copy or two of the recovery codes, preferrably in an encrypted file container on a computer and a usb drive.
Next question: use long pass phrases. Something like: Fediverse-American-Samsung-Electric-Hydro-Synth, you get the point. It is easier to remember than a password.
Use email aliases as much as you can. Simplelogin and Anonaddy are the two best recommendations. The less your real email is visible, the chances of it being in a breach is lower.
As for your threat model, if you don’t want to get hacked, do pretty much as I said above. Don’t put all your eggs in the same basket, use a password manager with a strong passphrase and 2fa enabled. Enable 2fa for as many services as possible and make backups and keep the recovery codes safe. Use email aliases to mask your real email.
I use it because it uses Mullvad’s servers but it also supports Mozilla. Have no complaints so far. Just use an alias email and pay with a virtual credit card or a visa gift card for maximum privacy. It’s got all the features that you need such as custom DNS, multihop, built in speed tester, malware and ad blocking (although does not work when you use a custom DNS).
If you are using a stock Android Pixel, it should have a ‘now playing’ feature. It is not privacy-friendly whatsoever, but then again, that’s just stock Android in general. If you are using a custom ROM, then I would suggest just keep using Shazam but use it in a work profile using Shelter, and make the microphone permissions to be “ask every time”.
Never, considering how shit ProtonVPN is on Linux