I agree with all of your points other than 7. Use Tor for everything that can not be linked to your real identity (ie: don't use it for facebook). I also would kind of say that javascript is the problem. I know people like to argue that javascript is fine and dandy and the browser or whatever is at fault, and technically that is true, but it is also true that not having javascript enabled makes you way less vulnerable to hacking attacks like this. Javascript should always be disabled, it is required for a lot of browser hacks to work, disabling it automatically protects you from a lot of potential 0-day attacks.