Problem: Bitcoin goes up and you're not ready
If you're into bitcoin, you should be securing the bag. If it's on an exchange, sell it back to them and get non-KYC sats. Either in person from a friend or via HodlHodl, Peach (mobile), RoboSats (lightning), or Bisq (advanced) Then you'll want to receive those sats into a wallet. Preferably using an offline phone or a hardware wallet. But beginners usually opt for an online (hot) software wallet. And for most people a software wallet is going to be fine. Just remember that as the price of Bitcoin goes up, you could be in the uncomfortable position of holding more money than you meant to on a hot (exposed to the internet) wallet on your phone.
Software Wallet Apps
Phone
Invest in a second phone like a de-googled Pixel phone flashed with Calyx OS or Graphene OS that never touches the internet. Then use Sentinel on your online phone as a "watch-only" wallet. A watch-only wallet doesn't have the private key but can be used to view balances and compose transactions. Signing happens elsewhere and is then ported back to the watch-only wallet for broadcasting.
Dedicated Bitcoin Devices
Or if you're feeling frisky, get yourself a dedicated signing device to hold your private keys (aka, hardware wallet) like the one Foundation sells called Passport.
Pair this with a watch-only wallet like Envoy (mobile via VPN or TOR) for a smooth experience or Sparrow Wallet (desktop + TOR) if you want a bit more granular detail for every transaction crafted.
Seed Words (Private Key)
Don't forget that regardless of whether you're using a software wallet or a hardware wallet, you'll need to back up 12-24 seed words that should be backed up on paper or steel (unless you use Envoy which supports encrypted microSD backups).
Bitcoin Node
Now if you really want to secure your bitcoin, but also protect your privacy, then you can invest in your own Bitcoin node, e.g., Tanto, and always run things over the TOR network.
This is because you're always using someone's node if you don't use your own, so you're trusting them to tell you that what you're receiving is actually Bitcoin (AKA it follows the rules of the network). You're also revealing information about yourself such as your xPUBs, the list of all your wallet addresses. This can be used to link all the Bitcoin going in your wallet as belonging to the same owner. This is arguable step last on the journey to being a self-sovereign Bitcoin holder.
Final thought
Last step in terms of opsec (operational security) is to STOP telling everyone you meet that you own Bitcoin (guilty unfortunately). It's hard sometimes because you get drawn into conversations about the world and are tempted to evangelize. But be as vague as possible. Remember, Bank of America isn't holding your money anymore, YOU are. So if anyone gets a hankering for your funds, they know right where to find you.
tab:
in front like this for some reason: