Mac with Apple Silicon Chip (M1 or newer) because of secure ARM architecture. Newer chips have better security features, so it's best to stick with the most recent ones.
older devices (with T2 or T1 chips) are no longer recommended because they are vulnerable to checkm8, Passware Kit Forensic T2 Add-on and lack some hardware security features.
First steps
Distrust all networks by disallowing all incoming connections in Firewall settings (stealth mode).
Check for updates and enable automatic updates for OS and also App Store.
If multiple people use your Mac, limit the number of users with administrator privileges and set up a user account for each person, so that one person can’t modify the files needed by another
Check if all forms of remote access are disabled in Sharing settings.
use only Safari as your browser, because it supports PrivateRelay, PassKeys, supports many privacy features, and offers the best compatibility with the Apple ecosystem.
Backup with Time Machine and make sure you have encryption turned on.
Instead of using insecure, privacy-unfriendly adblocker browser extensions or programs, use the Reader mode in Safari.
If possible, use iCloud Private Relay. Alternatives are: Quad9 and Cloudflare. Quad9 provide an easy solution with Apple signed profiles. AdGuard and NextDNS are also options, but some users report problems like false positive filtering and stability/performance issues. Only Private Relay supports ODoH!