all it would take to pwn most of the people on SR is a remote code execution vulnerability for SR + a non-javascript code execution vulnerability for Firefox. Tor itself has had plenty of remote code execution vulnerabilities. OTR just patched a remote code execution vulnerability. Even the people who are using isolation are just an SR/Apache/Tor exploit + firefox/Tor exploit + hypervisor exploit away. People using airgaps can protect their encryption plaintexts from hackers but not their IP addresses, and once located a really good hacker will know how to carry out a TEMPEST attack to spy on plaintexts. Hackers routinely sell mutli-zero-day combination exploits, for hundreds of thousands to millions of bucks, but they can be reused on all vulnerable targets until they are patched. Hackers of that skill level can penetrate damn near anything that isn't formally verified and I am under the impression that there are even highly advanced physics based attacks against these systems (this stuff is beyond my level). Look at Stuxnet for fucks sake they infected nuclear centrifuges that were not even connected to the internet via a worm that spread from USB device to USB device until they got lucky enough that someone working on the centrifuges exposed a contaminated USB to their network. We would not have any luck against that level of attacker.  Someone using ASLR, airgaps, mandatory access control profiles, dedicated hardware critical process isolation, nx bit, IDS/IPS, fully patched everything on some minimalist OS (preferably on top of a formally verified microkernel) with a hardened browser and OS who is connecting to a similarly secure server....would make a very hard target for a hacker. But even this level of security has been penetrated in the past and can be penetrated by some attackers still.