How do you secure Arch?

This is a vast question. Security is an extremely deep topic.
Did you take a look at the wiki? It may be a good starting point.

Of course, but it's too long - it will take a while to apply go through it all and understand them. I'm looking for more practical things I can get done now.
- This page is really to help you defining what would be of concern for you. There are too many use cases and security measures will differ greatly. It is not a step by step guide.
  At the very minimum, since your firewall is already setup, just make sure to keep your firmware up to date with fwupd if your machine supports it and follow the basic good practice below:
  regularly update your packages
  do not install intrusted packages
  use strong and unique passwords
  run your app tests (if any) within a sandbox
  If you need AppArmor as you mentioned. You should really invest efforts into it. ArchLinux is by nature a demanding distro for its setup. That being said once installed and activated (i.e. litterally 2 commands to run) you should be good to go unless you want to setup additional profiles.
  Once you figured out how to meet your own security needs, you can start the same lengthy process to address your privacy needs ;)
- But that's the nature of the beast. Unless one defines their threat model^[1], there's an ever-expanding list of improvements one might apply to enhance security; with -at some point- (mostly) diminishing returns and we've yet to talk about the amount of comfort that's sacrificed along the way. Therefore, before you do anything else, define your threat model. Afterwards, try to apply step-by-step whatever is required to protect your assets to a degree you're comfortable with^[2]. If, however, this seems like too much work for you, then consider either one of the following:
  Just go on with your life as if you hadn't become security-conscious. If you're just a random person that doesn't store anything valuable on their device in the first place and isn't a possible target to more sophisticated groups for whatever reason, then even in the worst-case scenario you can just reinstall your system and be done with it (assuming your home network hasn't been affected by malicious actors).
  Reconsider how you want to consume Arch and if Arch Linux is even the right distro for you. Distros like Fedora and openSUSE are better known for maintaining good security defaults and try to ever improve themselves in this regard. Sure, sometimes some of these changes are applied to Arch as well. However, by its very nature, Arch Linux is more akin to a blank slate.Thus, if you actually know what you're doing, then it's easier to get Arch Linux to wherever you want^[3]. But, becoming that knowledgeable is easier said than done.
  If you really like Arch, but also really care about your security, then it's probably best to look into the most impactful changes (security-wise) with the least amount of work associated to it. Simply not using packages from the AUR is one such change for example, if you can afford it...
  Digital security and/or cybersecurity is actually just one part of it.
  In terms of initial setup, (possible) maintenance and lost comfort.
  This even applies to hardening your system.

It all depends on your usecase to define the risk vs effort.

I work in a cyber security role, yet my personal laptop has minimal security, because it doesn't need it. Am I keeping military secrets on it? No. Does it contain bank records? No. So no full disk encryption, no app sandboxing, no AV scanning.

My work laptop... well, that's a different case altogether.

My advice: do 1 thing at a time and make sure you understand it. For example, do you need a SSH server on a desktop device? Just disable it and that's it secured. No need for additional jails, fail2ban, firewalls, etc... now it's easier to maintain, which improves your overall security posture.

Have a look at Lynis and CIS-CAT, etc to audit your system... if it's vulnerable and you don't use it, remove it.

That's why I use Arch... it only has the components you need.

Don't blindly run untrusted software, use Bubblewrap at the very least. Keep https://xkcd.com/538/ in mind.

Do you categorize AUR packages (if you didn't verify the PKGBUILD on every update) as untrusted?
- Yes. AUR package maintainer(s) are additional people who can add malicious code (or someone else can by compromising their account).
- I know that almost nobody treats it this way but the number one rule of AUR is that it's pretty much all untrusted, by definition.

Full-disc encryption, Firewall. Hardened kernel and ClamAV optional. Secure boot is a huge pain, don't know whether I'll pick up that project again.

I'll give ClamAV a look. Do you not bother with AppArmor or Firejail and the like?
- I prefer Flatpaks and for them I just settle for the build in controls. Hope they get better, but restricted FS access is mostly enough for me tbh.

If you don't know where to start, and what secure and on wich purpose, you really should take a look at "lynis".

That will help you a lot,

Looks like a pretty good tool. Thanks!

Tell everyone you know that you use arch btw and then nobody will come over to hack your computer

For AppArmor, instead of tweaking everything from scratch, I use

https://github.com/roddhjav/apparmor.d

and tweak what I need for my use cases

I use it too. One thing I could not figure out is how to get system tray icons (KDE) working though. No denied actions, yet they don't work.

I don't do much other than setting up ufw to block all ssh connections and the "standard" firejail configuration. There is also nextdns set up via my sbc (Orange pi zero 3) which is pretty nice for a "quasi-network-wide ublock".

Put it in a lead lined safe and stop telling people you use it.