Two devices. Both formatted, clean install of good Linux distro of choice, full disk encryption. All software verified prior to installation. Both devices used for nothing else and kept physically and digitally secured.

Device 1, internet connected:
Your own node running over Tor.
Your own Electrum server of choice.
Your watch only Electrum wallet connecting exclusively to your own server.

Device 2, permanently airgapped at a hardware level:
Your Electrum wallet containing seed phrase/private keys.

That's the basics of it for maximum security/privacy while still being fairly easily usable. I could write a guide spelling out each step in detail, but what if I use Debian and someone else chooses to use Mint? What I choose Electrs and someone else wants to use EPS? How can I possibly write a guide for how to remove the WiFi card from every model of laptop in existence? What if someone's threat model is different to mine? Maybe they place more emphasis on $5 wrench attacks, so want to use passphrases for decoy wallets. Or perhaps they want to delete their watch only wallet when not in use. And so on.

As Loyce says, people need to understand why they are doing things and what those things achieve; not just blindly follow a list of instructions.