You might want to investigate vopono which allows specific applications to run in a separate network space. This you could for example run Firefox or qbittorrent in a separate virtual network that can only communicate via Mullvad VPN tunnel but not see anything outside it. This is great for desktop use. Another great option is gluetun which allows other docker containers to be bound to a VPN tunnel.

https://mullvad.net/en/blog/2023/8/9/response-to-tunnelcrack-vulnerability-disclosure/ is Mullvad’s response to this topic. TLDR not a concern other than possibly for IOS.

Thanks for pointing out dar, out definitely has some very interesting capabilities. My backup took off choice is BorgBackup as it makes local/remote, encrypted, deduplicated backups easy and allows for mounting previous snapshots via fuse fs for easy restore.

Instead of a fire safe which will only offer some protection I would rather get two Pelican style cases. Keep your backup drive(s) in there. Use a deduplicating/encrypted backup software to create two backup sets (I highly recommend BorgBackup). Store one of the backup cases off-site (at a friend’s house, in a drawer at work, …) and occasionally rotate the two cases.