HTTPS Everywhere would be a win (I'd have to think about whether it's enough of one to earn its place on the list, but if you added it, you could also suggest an ad-blocker --- another issue there though is suggesting ad blockers to journalists gets to a tricky place).
GPA is great, but the premise behind this guide is that if you're relying on passwords for Google you're already boned. It's a security win even with TOTP enabled, but I don't think it's enough to earn a spot.
These guidelines are being distributed to activists and journalists along with free U2F keys, for whatever that's worth.
IME, it breaks too many sites to give to all end-users; if the default configuration omitted sites listed as 'Partial'; maybe it would be passable. Maybe have a subcategory for intermediate users and put it there. Novice-level users (for lack of a better term) have no idea why the website is not working, and thus don't even know to consider disabling HTTPS Everywhere.
At some point there was a fake uBlock Origin in the Chrome Web Store and it ranked even higher than the original (afaik). Since then I'm a bit wary recommending browser extensions.
GPA is great, but the premise behind this guide is that if you're relying on passwords for Google you're already boned. It's a security win even with TOTP enabled, but I don't think it's enough to earn a spot.
These guidelines are being distributed to activists and journalists along with free U2F keys, for whatever that's worth.