CoyoteFacts

Mailbox.org is a good pick to consider IMO. You can read some comparisons on PrivacyGuides, which I also recommend as a starting point for these sorts of topics. The mailbox.org web UI is not great, but it allows IMAP/SMTP access, so I use Thunderbird on both desktop and Android in order to interact with my inbox. My inbox is auto-encrypted with PGP using their Mailbox Guard thing, so my emails are all encrypted garbage on the web UI anyway. Mailbox.org only allows paid-for accounts, but considering the annoying stuff that Proton and Tuta do to their free accounts I’d rather just be honest about the service I’m getting. It allows auto-forwarding directly in the web UI, but given that you can hook up to it with IMAP anyway, it’s not like you couldn’t just do it yourself.

(Also, as another comment said I also recommend DuckDuckGo’s Email Protection for email aliasing if you need it.)

The straw that broke the camel’s back for me is the CEO’s icky tweet about how great Republicans are for your privacy and how they stand up for the little guys (what), which they doubled down on using the official Reddit Proton account. There’s already been a ton of discussion about this on the internet if you care to look for more angles on it.

But before that I’d already grown quite leery of them for their trend of endlessly starting new services before the old ones are polished, along with trying to push everyone into their walled garden and endlessly using naggy popups in the UI about it. Worst of all, they have a clear trend of not giving a damn about Linux support, sometimes giving up on certain features for their Linux clients or releasing the clients way after the Windows/Mac versions. For a “privacy company”, not putting Linux as a first-class citizen is really just unacceptable, and they’ve been around for long enough that it’s clearly a trend and not a fluke. To me, Proton just feels like a wannabe version of Apple. Its continued actions give me the feeling that it exists to serve itself, not its users.

I don’t support Proton for other reasons, but I’ll note that if anyone is having this problem you can use a half-measure of setting your other email address as a recovery email and enabling “daily email notifications”, which will email you once a day if there’s unread stuff in your Proton mailbox.

Also consider that you’re adding another party that you need to trust to the chain, and also adding another point of failure if iodéOS stops releasing.

I don’t have any experience with iCloud Private Relay, but I’d be surprised if enabling it will make you un-fingerprintable (in which case what are you really trying to accomplish by using it?). Also, who are you trying to stay private from? Do you personally believe that Apple and/or Cloudflare aren’t selling or trading your data? Would you be okay with them being the only ones that control your data if they’re not selling it? It’s a nuanced topic, and likely you’re the only one that can answer your position on that. It’s cliché, but defining a threat model can help a lot with deciding how many conveniences you are okay with giving up. I would likely argue that an Android phone with LineageOS can be made more private than an iPhone, but at the cost of security. Does your threat model need to sacrifice privacy for security?

Regarding iPhone vs Android, I’ve only ever used Android, but my friends with iPhones and Macs never seem to have access to the open-source software that I use and recommend, so I feel like that’s a big part to consider also. You’ll get roped into a proprietary ecosystem where it seems like every little app is trying to charge you money and won’t show you what it’s doing behind the scenes. If you already have an iPhone I’d understand if you need to weigh the economic feasibility of buying an entire new phone just for privacy as well.

Personally, I don’t really trust anything unless I’m given infallible reason to trust it, e.g. cryptographic proofs, audits, zero-trust models etc.; in this world it seems inevitable that someone will take advantage of your trust either today or tomorrow. If someone is truly on your side, they will do everything they can to take the need to trust them out of the equation, and failing that they should make it as clear as they can what trust is still mandatory and why. If you want to trust someone that doesn’t meet these standards, you do so basically at your own risk, and you’ll have to start doing some mental calculus on what they could get from you, what they might want it for, and how eager you think they would be to start misusing it (e.g., if you pay for a service, the servicer may feel less compelled to subsidize their income by selling your data).

It’s important to use services with a workflow that works for you; not every popular service is going to be a good fit for everyone. Find your balance between exhaustive categorization and meaningless pile of data, and make sure you’re getting more out than you’re putting in. If you do decide that an extensive amount of effort is worth it, make sure that the service in question is able to export your data in a data-rich format so that you won’t have to do it all again if you decide to move to a different tool.