I mean, they really did. They asked how does one protect privacy. Security practices is how you protect your privacy. Their two examples are literal examples of security practices. That being said, security by obscurity is security theater. It sounds like security, but it’s not.

They did and I’m perfectly prepared to double down.
If I told people I used a password manager, and which one, I give a bad actor a target. I give a social engineer a thread to pull.
If I told people I had a bitcoin at an exchange, secured using a certain method, I’d be painting a target on me.
If I told people about a rock with a key under it, then I’ve given out far too much info. Sure you don’t know where I live, but small pieces of info can add up quickly. It’s flat out dumb telling people the details of your security. What form it takes, and what products or procedures you use. Just telling them what you’re protecting is too much. Don’t. It’s bad security practice. Like it or not, I’m actually trying to be helpful.