For extra security run the opensnitch application firewall for blocking outbound connections.
Using OPNsense as the gateway to your network is also a good choice (it runs on Hardened BSD)
Building your own kernel will also make your system harder to exploit. Enforce signed modules at the kernel command line with:
module.sig_enforce=1
All of the kernel hardening options can be enforced on a desktop system. Run applications in firejail - most browsers can be run with hardened_malloc.
If you use Out of Tree kernel modules these can also be signed using arch-sign-modules to build your custom kernel. I maintain the package & it should always work on linux-hardened & linux-lts with modules zfs / nvidia / p_lkrg (Linux Kernel Runtime Guard)