How much do you want to trade usability for security? You'll have to make that choice for yourself.
Blobs
Most wifi chips require blobs, which would be most easily exploitable considering they sit between the OS and the network card itself. Atheros cards are good, available in both internal PCI/PCIe and USB flavors. The AR9280 is a good 300 Mbps 802.11n card for a laptop, but you should check to see if your machine has a whitelist that will try to stop you. Often, the whitelist can be bypassed somehow. Also worth considering that a DMA attack might be possible over PCI, but not over USB, so keep that in mind.
Nvidia has bad drivers, but they don't require blobs except for video decode and on very new hardware. Intel GPUs have good drivers, but are usually slow, except on new hardware. Most hardware doesn't require blobs, but Skylake changes this. AMD GPUs have the best support in Linux, but require a blob to make the open source drivers work. With a proper kernel design, these blobs shouldn't be exploitable, but I don't know how this matches up with reality.
Hardware security
Any compromised machine can turn a microphone on to spy on you or to exfiltrate data at frequencies higher than your hearing range. You may wish to disconnect it from a laptop if this bothers you. They can even use the microphone to guess
your keystrokes.
Many chipsets can run speaker circuits in reverse to turn the speakers into a microphone. Better disconnect these, too. Use headphones instead if you need sound at all, and don't plug them into a combination headphone/mic jack.
If you have one, disconnect it. Use a USB one if you need to so that you can unplug it.
Don't enable FireWire, PCMCIA, or ExpressCard support, and block off any other externally accessible PCI lanes. On a ThinkPad with a dock, you can lock the dock to the machine to make it harder to get to the dock port. They can pick the lock of course, but it's a deterrent. External video outputs are also suspect, as they may provide DMA to the video card through a bug in EDID parsing, and thus allow somebody to exploit the GPU driver.
You can make an effective version of secure boot using a laptop with coreboot and a GRUB payload. Basically, install a GRUB config in your coreboot payload to load a kernel off of an encrypted partition. Then, the only thing they can do is open the hardware to reflash the machine. To detect this, you can get some glitter paint and paint all the screws on the bottom of the machine. Then, take a high resolution picture of the glitter on the screws, and compare each time you leave the hardware unattended. This way, somebody who uses a screwdriver will have to repaint the screws, and the glitter will be in different places on the screws, which you can detect by comparing to the pictures you took.
For 100% paranoia, stick to your laptop's onboard keyboard, and fill your USB ports in with hot glue. For a desktop, just glue everything into the back of your computer, and never connect or disconnect anything.
Consider wifi encryption to be broken already. Local traffic should take place over Ethernet (it's faster anyway). Traffic going to the internet will be intercepted by your ISP, so it's less of an issue there. Assume any wifi card that requires a blob connects your kernel directly to the CIA.
If running less than DDR3, you'll need to be aware that they can take out your RAM and dump the contents. It may be a good idea on a desktop to rig something up to immediately poweroff when the case is opened to buy a few more seconds for
the memory contents to fade. You could use this with an electromagnet or thermite to nuke your hard drives as well. For laptops, never use suspend on an unattended laptop. Always turn it off.
SSDs don't reliably erase data. Don't use them. Use a hard drive with full disk encryption. I would also recommend sticking to ext2 on Linux or FFS on BSD so that you can securely erase your data. It's not as reliable to secure erase data
on newer file systems like ext3/4, XFS, ZFS, etc.
2/3