The domain registrar and the email hosting then appear key to the whole security model – if they are compromised, all other accounts are.

So I'm trying to work out the details of how to go about it.

E.g. which email should I use with the registrar to buy the domain? Some throwaway one, which I then change to the new domain I am purchasing in a circular fashion once it is set up? Is that a good practice, or too risky for recovery should anything go wrong?

If I use a separate email address to buy the domain, then seems that email becomes crucial to the security of it all and then why even bother with paying for the domain and Fastmail etc. if I am relying on some pre-existing email account?

I'm probably way overthinking it, but since I'm working on this at all and the stakes are rather high I'd like to set things up properly, for decades.

The goal is to achieve reasonable security against: 1. Attacks that are not highly sophisticated or targeted 2. Getting arbitrarily locked out by Gmail etc., potentially then losing access to other important accounts 3. Me locking myself out by forgetting some secret

It seems surprisingly difficult to find a best practice guide for this scenario, how to set up a password manager with it, which recovery information/backups to keep offline etc. Information I find is either too vague or overly involved (after all I don't want to dedicate all my time to maintaining security, just want a reasonable setup). Any practical advice appreciated!