Even the *cables* and patch cords can have bugs hidden in the connectors. Trust *nothing*. Encrypt everything -- I think outside sram caches on the CPU there should be no unencrypted data at all -- even dram contents should be encrypted.
Of course Key generation and distribution will be the soft underbelly for NSA, CSEC, GCHQ et al to feast on.
But as you point out, give yourself the "reasonable expectation of privacy" that encrypting everything will allow you to claim in court. Force them to tip their hand with actions. Make "parallel" construction so hard it looks laughably obvious. Make un-targeted surveillance prohibitively expensive. Make targeted spying hard enough and costly enough that they'll only use it against real adversaries and not their own citizens and dissidents / political opposition.
It seems to be the only answer and the only way we'll hold on to the freedoms that so many of our grandparents fought, bled, and died for.