IMO there are three basic tiers of threats that should inform your security choices.
I. Untargeted attacks: A common thief steals your device, or an untrustworthy acquaintance is snooping. Passwords should be enough most of the time.
II. Targeted attacks: Someone with expertise and tools is trying to get at your stuff. Current and top tier encryption software should be effective most of the time.
III. Security agencies: You are fucked. The best you can do is be as paranoid as you can, and then act twice as much so. Everything you type is logged. Everything you save is copied. Unless you can be certain that you aren't being watched, you are.
Guarding against a level II threat will almost surely protect you against a level I threat, and guarding against a level III threat will almost surely protect you against a level II threat. However, there is no level IV. In the case of a level III threat, it's just a matter of time.
There are also a few types targeted attacks.
1. I try to hack my boyfriends facebook using security questions that I know the answers to because I have a personal relationship with him.
2. I try to hack your/everyone's facebook using the released list of emails/password from the Adobe leak.
3. I use social engineering / piecing together of personal information via Google in order to get into your facebook even though I don't know you personally.