I think it remains the best in class for private browsing. They have to make difficult trade-offs that achieve acceptable levels of performance while not leaking metadata like a sieve. They do also have a good track record of handling security vulnerabilities.
For the average user, the greatest threat is actually everything outside the Tor browser. For example, downloading certain files using Tor, then opening it in another application that leaks your address to other parties (e.g. certain video players). The chance of this happening might be a lot higher on a Windows system. Another big mistake is funneling unsanitized traffic through a Tor SOCKS proxy, because many applications leak their addresses.
It's also worth mentioning that Tor still allows plain HTTP between the exit node and the destination website, so an ordinary user may not realize that they might be sending plaintext data.
For people who may be targeted by governments, those scenarios are vastly more complicated and depend on how much of a prize you are. Tor's strength relies in numbers and on the uncooperative nature between certain countries. There will certainly be more traffic analysis based attacks.
There are some ways to mitigate some of the threats that you mention. Using Qubes or Whonix could prevent network access to other programs. The unencrypted requests can be blocked by turning on the EASE option in the HTTPS-Everywhere preferences. Tor doesn't have any way to protect against global adversaries performing timing analysis or attacks though.
It is though. Add HTTPSEverywhere to the toolbar using customize, and you will get the option to enable "Encrypt All Sites Eligible". Working as of Tor Browser 10.0 (ESR 78.3)
Version: 2020.8.13
Rulesets version for EFF (Full): 2020.9.14
Rulesets version for SecureDropTorOnion: 2020.7.30
For the average user, the greatest threat is actually everything outside the Tor browser. For example, downloading certain files using Tor, then opening it in another application that leaks your address to other parties (e.g. certain video players). The chance of this happening might be a lot higher on a Windows system. Another big mistake is funneling unsanitized traffic through a Tor SOCKS proxy, because many applications leak their addresses.
It's also worth mentioning that Tor still allows plain HTTP between the exit node and the destination website, so an ordinary user may not realize that they might be sending plaintext data.
For people who may be targeted by governments, those scenarios are vastly more complicated and depend on how much of a prize you are. Tor's strength relies in numbers and on the uncooperative nature between certain countries. There will certainly be more traffic analysis based attacks.