The only way you can hope to be safe is to do Full Disk Encryption (FDE).
Well, it probably doesn't matter if you do FDE or just a 2nd level ecryption like encfs (which I am using) - the disk controller will always end up deciding where the data ends up.
At that point what will matter will be the weakest link, which will probably be the host that you'll use to input/write your password => these thoughts will bring you to paranoia-level-2.
Paranoia-level-3 can be accomplished only with a full offline server.
Paranoia-level-4 is then really advanced, with no windows and double walls to avoid any kind of external leak of frequency.