That article recommends Tor for browsing without mentioning the dangers involved. Malicious exit nodes are not hypothetical. It's easy to make mistakes with Tor, so I'd be wary of a general recommendation to use it. People who know more about this than me seem to agree: https://twitter.com/thegrugq/status/797608924606173184
edit: I'm also unsure about the warning against fingerprint authentication. I use Touch ID with a long passcode and consider that the best trade-off. It prevents everyday attempts to get into the phone and offline cracking. The passcode is required after a longer time of inactivity. If you're paranoid you can touch your pinky against it five times in predictable situations (border controls etc). It's not perfect, but I think it makes the best tradeoff between convenience and security for most "normal" people.
An alternative is to just turn the device off before you walk up to a potential issue. That way you're assured that the TouchID won't be accepted (last thing you'd want is to learn it only registered X presses rather than the Y required to disable). In the event you are caught off-guard, disabling TouchID is as simple as just holding in the power button until the screen goes black. If you practice this a few times, you could accomplish this even in a stressful situation.
The exact same dangers exist with normal browsing. Intermediate nodes on your route can do whatever they want unless you use proper encryption. In fact, things like sniffing your traffic are routinely done by $ThreeLetterAgency.
Your argument is a classical example of "correct in theory, wildly misleading in practice". As you can see on https://trac.torproject.org/projects/tor/wiki/doc/badRelays (list isn't updated any more, so the real list is likely much longer) or http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf, there have been several cases where relays actively interfered with user traffic in a malicious way. Malicious exit nodes are used to MitM connections and sniff sensitive data.
Note that Tor doesn't mitigate the three-letter agency problem, as they can just sniff the exit node's target (I certainly would, there's bound to be lots of interesting traffic there).
edit: I'm also unsure about the warning against fingerprint authentication. I use Touch ID with a long passcode and consider that the best trade-off. It prevents everyday attempts to get into the phone and offline cracking. The passcode is required after a longer time of inactivity. If you're paranoid you can touch your pinky against it five times in predictable situations (border controls etc). It's not perfect, but I think it makes the best tradeoff between convenience and security for most "normal" people.