Maybe I'm missing something but the EU isn't mandating ISPs to use this DNS.
Here it's up to anybody, if they want to, to use this DNS instead of their ISPs, or NextDNS, or corporate Americans alternatives e.g. Google Public DNS or Cloudflare's. I don't think any average citizen, in EU or elsewhere, is directly hitting on ICANN's servers.
Interesting, I'd be curious to know if they have quality of service reports, benchmarks against existing alternatives.
It's tempting but if performance, e.g. latency or reliability, sucks then despite the effort I wouldn't use it.
"dns0.eu is a French non‑profit organization founded in 2022 by Romain Cointepas and Olivier Poitrey — co-founders of NextDNS."
whereas
"Supported by the European Union Agency for Cybersecurity (ENISA), the European Union's DNS4EU secure-infrastructure project"
so AFAICT the 1st is by (EU) citizens with the technical expertise and selling a related product whereas the 2nd is by the public EU administration.
If you are not already aware of it you might be interested in SplinterCon.
That being said this service seems like option, an alternative to existing solutions, so in that sense I don't believe they are splintering more.
FWIW "Unfiltered option is a valid option for users who are confident their devices and connection are secure, and are looking for fast, reliable, and anonymised resolution service."
Someone who doesn’t need much experience can access the hard drive / SSD and replace the bootloader.
...
I probably sound paranoid af right?
Well, all your points are fair but IMHO the intersection does not exist.
Namely, yes, some people living with you might want to access your files somehow... but able to change the bootloader? Even knowing what a bootloader is? I don't know if your friends or parents are ICT professionals but otherwise, I would be that's not plausible.
Consequently I do recommend you protect yourself, yes, but IMHO the threats are much MUCH lower than that. Namely... maybe checking the last open files or even "just" your browser history is what a typical person might consider, not changing a bootloader.
So... I would personally start with that, e.g. encrypted disk yes, with strong password or even physical token login, e.g. NitroKey or YubiKey. They should never have access to your unlocked computer but once it's locked, in theory there should be no practical way to access files. I insist on the practical word because... I wouldn't imagine parents or flatmates to have access to a cluster of machines to crack encryption.
Debian stable.
I don't understand the "fetish" (for lack of a better word) with updates. Apologies for being provocative.
The only update one truly needs are :
... that's it!
Everything else might "feel" nice but that's not up to the distribution. If you want the very latest Blender because you are a 3D artist who needs a very specific feature, get the latest Blender! Get it straight from them, NOT from your distribution. If you really REALLY want the bleeding age, get right from the code repository, get the binaries for your architecture, heck even build it yourself it's actually rarely that difficult. Maybe the first time you will need some dependencies but the 2nd time it will be way WAY easier.
Anyway... you get he idea, IMHO your system should be 99.99% boring, only necessary changes. For the few things you genuinely, actively, mindfully NEED (even if it's just due to curiosity) go wild, get the latest!
the average script-kiddie can’t just download some tampered bootloader online and easily replace the bootloader.
Can you provide me with an example of that threat with which setups are affected by that?
What about https://certification.oshwa.org/de000007.html then? Audits like https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit have been done and you could run your own.
Check Nitrokey Storage 2 but note that 16GB will cost you 100EUR and 64GB 200EUR which makes for an expensive USB stick. That means it is ONLY for things you want encrypted. It's not for your stuff you could download back from the Internet (obviously) but also not for your holiday pictures. It's for the very few things, like your SSH keys to access other machines, that truly matters. In such cases then IMHO then it's actually a lot of space.
That being said it's :
Details https://shop.nitrokey.com/shop/nitrokey-storage-2-56#attr=2
If it’s not Linux from Scratch, then we don’t know exactly what is running, and we need to consider that.
What about Precursor? It's "just" RISC-V System-on-Chip (SoC) yet that's the entire premise, trying to know all the way to the processing unit instructions.
The instant any such report were to be made public anybody who cares about privacy would switch to another DNS.
I'm not saying it's not possible, or won't happen, but rather the barrier to switch is so low I have a hard time anybody would accept that "compromise".