I do the same.
And FWIW, your (our) paranoia is justifiable. As mentioned in another comment, GoDaddy is historically-notorious for front-running domain searches. ICANN tried to make that a bit less practical, but I just assume that they (and other sketchy registrars) still do it.
If you search directly through whois (i.e. from the command line), you should be OK. That's been my strategy, and I think it works.
I decided for myself that there’s no need to buy a domain up front. I don’t even let myself look for potential domain names or start asking ChatGPT to provide me with some naming ideas. Most of the time, the project don’t even reach MVP state. During development and research I also learn more about my project and similar products thus helping me decide on a good name.
I agree that there's no need, and that yours is the reasonable approach.
That said, I often have project/product ideas at times when I cannot work on them. In fact, always. But I enjoy noodling on names and branding, and if I come up with a really good name that's available in .com, I register it.
I have revived project ideas 15-20 years later, and have been happy to have a great domain for it which would absolutely not have been available "now".
Of course I have many more domains that are patiently awaiting their prioritization.
The registration fees add up (and I do feel bad about reserving them for myself, although I've given a few away to persuasive requesters, and I've sold a few which, in aggregate, more than cover all of the registration fees).