Mostly agree except about disconnecting from the internet, classic SMS/voice calls aren’t any more private than VoIP.
Your best bet for location privacy is E2E encrypted services like Signal over wifi, plus MAC randomization and a VPN on untrusted networks. I’d say GrapheneOS is good enough for most people, but mobile Linux has also come a long way.
DoH is good, but it wouldn’t help much in this scenario. Even if every website you connected to supported Encrypted Client Hello, IP addresses greatly narrow down which domains you’re connecting to.
But realistically using DDG to generate a password is safer than downloading a local program to do it, an attacker would have to break into DDG and MITM your internet. For a local program all they have to do is compromise the site you download it from, and maybe the developer’s signing key if you check that.