[pierlu]

I think the real moral of this story is that (like the fun vulnerabilities on Flash and Java that we might remember), a combination of keylogger or strange daemon might be running suddendly on your machine, scanning your files, either on OSX or Windows. Simply visiting a website. So better (as said) is to use a separate VM to access trusted domains (and yes, also VMs aren't these days so trustable). Better to use 2FA and ciphering on-disk sensitive info and loose the habit (if any) of storing a large number of files that streams from locally mounted cloud accounts, like Google file stream, Onedrive files-on-demand and so on.

[microtonal]

So better (as said) is to use a separate VM to access trusted domains (and yes, also VMs aren't these days so trustable).

I would use the VM for accessing untrusted domains. If an exploit has your host system, then it also has the trusted VM.

ciphering on-disk sensitive info

If an exploit has root-kitted your system, encryption does not help much. Presumably you have the unencrypted volume mounted, moreover, the attacker could log keystrokes.

If your machine is compromized, it is basically game over. Change all your bank accounts, e-mail, etc. credentials immediately, wipe the disk. By suspicious about any file the malware may have touched.