Great post as always @the-tech-guy. Here's some of my thoughts on each of the sections.

Phishing: one very good way to avoid a lot of the phishing attempts we've seen in crypto is to understand that there is absolutely no reason to share your private key under any circumstance, ever. If a site asks for it, it's guaranteed to be a scam.

Scam sites: I've been recommending that people download MetaMask, even if they shouldn't be using it for secure transactions. The reason is that MetaMask has a nice blacklist of known scam sites, and it will warn you if you land on one of these URLs.

Keyloggers/clipboard sniffers: /shameless plug for my post on this subject, including an exercise in creating your own. This is one that worries me a lot. When a large-scale attack happens involving keylogging PKs, I'm betting it will be because of a compromised popular browser extension.

Browser redirection: XSS and CSRF attacks are your main concern here. I've thought about covering this, but it's always ended up being too technical and nobody gets anything from it since they move on or already understand it.

Malware: There's a balance to be struck between convenience, cost, technical ability, and security here that I think is skewed. Definitely an impossible question to give a definitive answer to, but it's my opinion that people will err on the side of cheap & easy. Those with the technical ability are not the demographic that need the most help, so I wouldn't suggest running Linux or buying a new computer. Instead, I'd focus more on the importance of using unique passwords and 2FA while taking small steps to improve your primary system's security.

Online Wallets: Steemit actually has pretty amazing security measures. They generate your randomized password for you, forcing it to be (at least initially) secure. They also have the savings option where you can store your currency and be notified if somebody tries to move it. They are forced to wait while you have time to cancel the removal and re-secure the account.