I would like to think that I am pretty well informed about tech when compared with general public but I am clueless about all the ways user data can be obtained by someone else.

I bet that even the most well versed security researchers don't know it all.

The trivial examples like where users assume safety because they use HDD encryption and TLS but they run firmware they don't know about (like a whole parallel OS being ran by some CPUs) are just what is very visible.

In practice, we should assume that everything that is connected and everything we do online is unsafe.