"I don't need to care about privacy because I have nothing to hide." is an argument that I have heard countless times. I found this argument difficult to counter in the past, yet deep-down I knew the reasoning was flawed.
The problem is that the word "privacy" is dialuted and mean different things to different people. Instead of "privacy" we really should be talking about "control". Framed in this context, we can more concretely talk about why it's important to protect your digital identity.
For me privacy is not the primary driver, because like you mentioned, it doesn't make sense for the common folk and doesn't actually fall into people's threat model (journalists on the other hand should care). I am personally motivated by the notion of "control". Can someone else meditate how I experience the world and what information I consume? Whether that is censoring, influencing how much time I have to spend watching ads or which ads I am allowed to watch. Can they influence how I vote? Watch the talk In Defense of Privacy for a more on this.
Many of the convenient tools we use today (email, messaging, social media, password manager) are essential for daily life but they also yield control over to organizations (Google, Facebook, Amazon) that don't necessarily have our best interst in mind [1][2].
Questioning how "incentives align" is a really good litmus test for most things.
Most of the following recommendations are based on my own threat model and comfort level. There will always be a compromise between effort and easy. It's best to pick what fits your lifestyle.
Use a password manager! I use GNU pass because I don't want to hand over my passwords to a 3rd party. I typically only use the password manager from my laptop and don't access passwords from my phone (I consider this a better security practice). I have been meaning to try out passage. I would also recommend Bitwarden for those who want a better UI experience.
(Whatsapp is an unfortunate exception and I hate that I need it to stay connected to friends and family). Signal for messaging is preferable [3]. Venmo is disabled.
I run GrapheneOS on my Android. This allows me to sandbox, disable or uninstall apps rather than allowing super-privileged Google/ISP apps from doing whatever they wany on my personal device. By default, Google Play apps are unpriviledged and have to work within the sandbox model. GrapheneOS also allows you to restrict permissions at a granular level, including network access. You can also disable apps that you only use occasionally (Venmo, ride-sharing, Google play store).
I try to use opensource alternatives for apps on F-Droid. Did you know disabling Google play store (also location services) increases your battery life by a lot! Not running bloated stock OS also means your 5 year old phone is still fast and usable (wtf do I need to but a new phone every 2 years?). I barely use social media and don't install it on my phone (I use social media in Browser containers to limit 3rd party cookies).
I have a personal domain, which I use for email i.e. [email protected]. This allows me to switch providers whenever I want (e.g. lack of trust in Google, ProtonMail can raise their prices). These days I am using Tuta as my email provider because they are fast, offer a better price and have a strong focus on secure email. Also I can't be bothered to host my own email server.
I use firefox with privacy badger and uOrigin because I do not opt into companies personally targeting me (can be contentious since some sites use this to make money).
I host my calendar and contacts on a raspberrypi, which you can only access on localhost. The Caldav server is https://sabre.io/baikal, gets the job done. I use DAVx⁵ to sync the contacts on my phone.
Disclaimer: Cloudflare is my current employer. I switched to Cloudflare Registrar recently because they offered a lower price when my previous Registrar raised the price at renewal. I don't think Cloudflare really cares to make money on domain registration.
I use Cloudflare's DNS because I trust them more than other companies; purely based on their business and how their incentives align (https://one.one.one.one/). There are other secure/anaonymous ones out there.