It all depends on your usecase to define the risk vs effort.

I work in a cyber security role, yet my personal laptop has minimal security, because it doesn’t need it. Am I keeping military secrets on it? No. Does it contain bank records? No. So no full disk encryption, no app sandboxing, no AV scanning.

My work laptop… well, that’s a different case altogether.

My advice: do 1 thing at a time and make sure you understand it. For example, do you need a SSH server on a desktop device? Just disable it and that’s it secured. No need for additional jails, fail2ban, firewalls, etc… now it’s easier to maintain, which improves your overall security posture.

Have a look at Lynis and CIS-CAT, etc to audit your system… if it’s vulnerable and you don’t use it, remove it.

That’s why I use Arch… it only has the components you need.