Stuxnet targeted scada

But yes, vulnerabilities exist for sale and many for cheap. Cheap ones not likely to be as successful, especially is you practice good security hygiene. Don't click unknow links, run antivirus, don't plug in random thumb drives, etc..

Emails, use two factor authentication. Also password manager software will allow you to use passwords that are not easily brute forced.

Most industries believe their data to be highly sought after, none of it is particularly true. I work in health care, and people are paranoid about data security. Not because of hacker threats, but because there are criminal penalties for failing to secure data in accordance with the mandated standards. The pertinent standard for HIPAA compliance that I have to deal with most is ISO 27001. which goes so far as to require internal communications to be encrypted as well. PCI standards don't even go that far. The reality is that randoms care about money, and your data is only valuable to them if they can get paid for it. They aren't likely to steal your data and sell it, they are likely to encrypt your data and make you pay to decrypt it. In this case, the government will recommend that you pay them to get your data back, learn your lesson, and move on. The only time you really need to be concerned about somebody wanting your data is if your data includes credit card numbers in bulk (thousands of them), or if you've made an enemy who is personally after you.

For the OP, it seems like you've recently become aware of the real threats that exist in the interconnected computing world, and it's freaking you out. A person with little compouting background reading articles about this stuff is like a hypochondriac reading WebMD. If you are really concerned about cybersecurity, find the applicable security standards that are required for your industry, and either implement them yourself, or pay an outside company to do it. If you use 3rd party for things like email, just make sure they are certified to those standards. Resorting to TOR to browse the web, or getting rid of your smart phone is paranoia more than security. If it's government you're worried about then turn off your computer, if they want to get in you cannot reasonably stop them. TOR is traceable if they really want to, they've demonstrated this before. Frankly, lawyers have the least to worry about from government, because government actually respects confidentiality for lawyers, not true for many other professions, like doctors. They won't come after you unless you give them a reason

Remember, you don't have to figure this all out yourself, somebody who knows what they're doing already has, and has auditable security standards defined for your industry. If you're really concerned about it, hire a firm like KPMG to audit you, remembering that it's a full time job to work with auditors

This is the third thread you've started dealing with this, so I assume as kb suggested above, that you've never really been exposed to some of the threats that are out that prior to the CLE you are attending.

As has been said in both this thread and others, ditching a smart phone for a flip phone doesn't really provide nearly as much security as you think it does, especially weighed against the benefits of a smartphone. Just practice smart data security, as most successful hacks depend on social engineering, usually as the initial entry vector. This includes the things kb mentioned above like not plugging in strange USB drives (how Stuxnet infected the Iranian systems originally), don't click on links in emails, use strong passwords/password managers, etc. None of that is anything new.

If you are totally paranoid, use an iPhone or one of the Android devices built for security, use encrypted email for protected communication (I believe you've already switched to Protonmail), use an end to end encrypted messaging platform for voice and text (WhatsApp, Telegram, etc), use a good antivirus program like ESET NOD32, use either a real network security appliance or a router running DD-WRT (that offers far more security options than stock router firmware) depending on your budget, don't bring your phone into a meeting that you are really paranoid about a recording being made of and practice smart data security as mentioned above.

John McAfee is pretty much a crackpot at this point.