Social networking, browser finger-printing techniques (even characteristics such as the window size can be used for tracking), writing style, choice of avatars, surveilance on your friends who are likely less experienced with computing and thus more vulnerable.
A million ways.. Even battery life. Stylograpy is at 70-80%+ assurance of a person now. It's all lost for the most part. Which is why there are covert programs that transcribe for you in a generic fashion or convert your writing style in-process (although the slowness of them annoy me). There are countermeasures to everything, but you need to be prepared to spend some money, learn new things, and devote the time/effort required to do it.
But as you point out, the biggest problem are low hanging fruit. Great, you are secured. Are your friends you interact with?? Heck no... So they become your weakest link in all of this and they will surveillance you through your friends/associates.
As for government agencies and surveilance, there's other better ways to prevent being tracked. This would include using environments with fake data setup on Windows (or better yet, use Linux) in-case Microsoft telemetry is being used to identify you, connecting to servers which are situated in foreign countries remotely and allowing them to handle operations, sending out random web request queries every hour from your network to cause genuine requests to be mixed up in thousands of random and meaningless search requests, storing personal and critical data on a machine which is not and never will be connected to the internet whilst maintaining encryption, etc. This is all theoretical though, I am not a surveilance expert who works for a government agency and probably never will be.
VPN to a remote COLO, RDP to a remote desktop within that colo. Then VPN out of that remote desktop. When the session ends kill the L2 VPN, kill off the remote desktop, which of course runs in a VM, leaving no trace of that session, then kill the RDP, then disconnect the L1 VPN to the colo and you are back. Have fun trying to trace all of that and establish any tracks.
Chaffing as we call it is awesome these days.. About 1,500,000 clicks, searches and web lookups come out of my home every week that are from automated systems designed for this purpose. Masking legitimate activity among a tremendous amount of noise. Blinded by the light, right?
See this little tiny friendly stick that measures 2inchx4inch? It's a quad core computer, it's only purpose in my home is to browse 1.5 million websites and click 1.5 million different links a week. That's all it does. Nothing else.
