The absolute first step is to take control of your devices. LineageOS or Replicant phone. GNU+Linux on computer, openwrt or similar on router/switches, ipfire similar on firewall. Firefox instead of chrome or opera. VLC instead of iTunes. Emacs/Vim instead of sublime. Blender instead of Maya. Etc. I'm working on this myself. It's not easy, but it is worth it.
RMS was and is right: either the user controls the program or the program controls the user.
When you fix a bug, contribute it back. When you write a program, make it (l)gplv3.
Although I understand your sentiment here on philosophic grounds, it would be far more practical to run Chrome, because the likelihood of NSA hoarding effective chrome 0days is much smaller than hoarding FF 0days.
Ideological purity is nice, but practical defense against the enemies of your ideology is better.
> the likelihood of NSA hoarding effective chrome 0days is much smaller than hoarding FF 0days
Based on what rational? I think the strongest influence on 0-days is market share. Hence why switching to gnu+linux alone isn't enough (but it's the right start). According to http://www.netmarketshare.com/ Chrome is now almost 60% of marketshare, and lets not forget how many people are using chrome on android devices.
I find your claim to not stand up to scrutiny.
Regardless, this is the mentality that has gotten us into the situation we are in anyway. It's like a technological variation of the ends justifies the means. No, I disagree and I find it to be a fundamental problem with the way many do their computing in the modern world.
While we do have Chromium, it has still had privacy issues, and Google has shown themselves untrustworthy when it comes to data sharing with the world. They had every opportunity to give us a GPL phone with linux on it, and instead we got a half-proprietary, non-rooted series of backdoored android phones. Relying on Google is not the way to go for those who care about privacy and security, as they have repeatedly violated their original motto of "don't be evil".
If we really wanted to base the discussion on data though, I would like to see numbers on fixed remote exploit bugs in both to see who is actively fighting this better. I also feel like once firefox has a 64-bit rust based render engine they will suddenly regain a lot of market share.
And the likelihood of Google streaming a copy of all your URL bar keystrokes to the NSA archive is larger still. Or hell, even if they don't stream them live, they surely store them for analysis and can respond to subpoenas.
Is there any evidence of this type of telemetry? Assuming you use it (or better, Chromium) as just a browser (e.g. don't log into it) behind your VPN, proxy, or overlay network of choice, I can't imagine this threat model being too bothersome.
And you're far more resistant to watering-hole attacks than you are with FF.
RMS was and is right: either the user controls the program or the program controls the user.
When you fix a bug, contribute it back. When you write a program, make it (l)gplv3.