I want to prevent myself from reinstalling my system.

Any even remotely normal file on disk doesn't stop that, regardless of encryption, privileges, attributes or anything your running OS could do to the drive. If you erase partition table it'll lose your 'safety' file too without any questions asked as on that point the installer doesn't care (nor see/manage) on individual files on the medium. And this is exactly what 'use this drive automatically for installation' -option does on pretty much all of the installers I've seen.

Protecting myself from myself.

That's what backups are for. If you want to block any random usb-stick installer from running you could set up a boot options on bios to exclude those and set up a bios password, but that only limits on if you can 'accidently' reinstall system from external media.

And neither of those has anything to do on read/copy protection for the files. If they contain sensitive enough data they should be encrypted (and backed up), but that's a whole another problem than protecting the drive from accidental wipe. Any software based limitation concerning your files falls apart immediately (excluding reading the data if it's encrypted) when you boot another system from external media or other hard drive as whatever solution you're using to protect them is no longer running.

Unless you give up the system management to someone else (root passwords, bios password and settings...) who can keep you from shooting yourself on the foot, there's nothing that could get you what you want. Maybe some cloud-based filesystem from Amazon with immutable copies could achieve that, but it's not really practical on any level, financial very much included. And even with that (if it's even possible in the first place, I'm not sure) if you're the one holding all the keys and passwords, the whole system is on your mercy anyways.

So the real solution is to back up your files, verify regularly that backups work and learn not to break your things.

What's your end goal here? You try to keep files just on that one media without any options to make copies of them? Or maintain an image which has enforced files at their directories? And against what kind of scenarios?

ACLs and SELinux aren't useful as they can be simply bypassed by using another installation and overriding those as root, same thing with copying. Only thing I can think of, up to a degree, is to use immutable media, like CD-R, where it's physically impossible to move files once they're in place and even that doesn't prevent copying anything.

Geeqie is a quick one to go trough photos and it groups RAW+JPG as a single item on preview, so even a few hundred photos are quickly ran trough with just a keyboard. I'm not sure on how well it manages tags as I don't use it for tagging, but it's most likely in your distros repository so testing it out is quick.

Then do sudo apt install xfce4 and sudo apt purge cinnamon* muffin* nemo*.

It's been a while since I installed xfce4 on anything, but if things haven't changed I think the metapackage doesn't include xfce4-goodies and some other packages, so if you're missing something it's likely that you just need to 'apt install xfce4-whatever'. Additionally you can keep cinnamon around as long as you like as a kind of a backup, just change lightdm (or whatever login manager LMDE uses) to use xfce4 as default. And then there's even lighter WM's than XFCE, like LXDE, which is also easy to install via apt and try out if that works for you.

I understand the mindset you have, but trust me, you'll learn (sooner or later) a habit to pause and check your command before hitting enter. For some it takes a bit longer and it'll bite you in the butt for few times (so have backups), but everyone has gone down that path and everyone has fixed their mistakes now and then. If you want hard (and fast) way to learn to confirm your commands, use dd a lot ;)

One way to make it a bit less scary is to 'mv /tmp' and when you confirmed that nothing extra got removed you can 'cd /tmp; rm -rf ', but that still includes the 'rm -rf' part.

Absolutely. Maybe leave Gnome/KDE out and use a lighter WM, but they'll be just fine. Specially if they have 8GB or more RAM. I suppose those have at least dual core processors, so that won't be a (huge) bottleneck either. You can do a ton of stuff with those beyond just web browsing, like programming/text editing/spreadsheets and so on. I'd guess that available RAM is the biggest bottleneck on what they can do, specially if you like to open a ton of tabs on your browser.

Make sure you have package alsa-utils installed and try to run alsamixer. That'll show all the audio devices your system detects. Maybe you're lucky and it's just that some volume control is muted and if you're not it'll give you at least some info to work with. Majority of audio devices don't need any additional firmware to work and they almost always work out of the box just fine. What's the hardware you're running? Maybe it is something exotic which isn't installed by default (which I doubt).

And additionally, what you're trying to play audio from? For example MP3's need non-free codecs to be installed and without them your experience is "a bit" limited on audio side of things.

They both use upstream version number (as in the number software developer gave to the release). They might additionally have some kind of revision number related to packaging or some patch number, but as a rule of thumb, yes, the bigger number is the most recent. If you should use that as a only variable on deciding which to install is however another discussion. Sometimes dpkg/apt version is preferred over snap regardless of version differences, for example to save a bit of disk space, but that depends on a ton of different things.

Mullvad (apparenlty, first time I've heard from the service) uses DNS over TLS and I don't think that the current GUI version has the option to enable it. Here's a quickly googled howto from Fedora on how to enable it on your system. If that doesn't help search for 'NetworkManager DOT' or 'DNS over TLS'.

I don’t know where the Debian project is based.

Trademark and at least some copyright for the project is owned by an entity in the New York and Ian Murdoch who started the project was US citizen. But calling the whole project as USA based is wrong, it is based 'on the internet' as even the core team is spread across the globe.

5.2 for me. I got it as a gift, in a offical retail box. I think the box with manuals is still around somewhere, but I'm not sure where.

I'm not familiar with vnstat, but man page mentions --oneline -parameter, so something like vnstat --oneline|cut -d';' -f6 might be pretty close and you could format that as you wish with sed or awk, shell script or even python if you like.