Ideally - a working machine, and a small home server with a hypervisor.
The most basic principle that is underestimated is not to work with full rights.
On critical machines, we set up a limited account, install the necessary software, set up a software restriction policy, nothing more - all ports are closed except those explicitly allowed, the machine is behind NAT. If round-the-clock work with this data is not required, we turn off the virtual machine when not needed. Access via RDP/VNC from a working machine with limited rights. It's secure, it's impenetrable. If the Internet is not needed when working with critical data, we generally prohibit access to the Internet.

at the input from the provider, two serial routers of different models

What for? Enough of the same Mikrotik, the main thing is that it is controlled by you, and not by the provider.
But if a person has a phobia, then everything is already complicated. Logical arguments will not help here. And unnecessary bells and whistles are unnecessary problems.
On the main machine - medium security, we surf the Internet there, do what we want, but do not keep critical data.

You can't protect yourself from burglary. You can only reduce the risks. Security can be upgraded endlessly, down to an isolated island with machine gunners around the perimeter and weapons of mass destruction. Security costs should not exceed the value of the protected.
We need to figure out what we protect and what is the budget. Maybe it would be easier not to have protected data at all and / or not to use anything more complicated than a microwave oven? Or will a separate computer without an Internet connection and a network with an encrypted file system work?

You just offer some kind of severe case of paranoia :)
A separate hardware computer without access to tyrnet. Only RDP from a neighboring wheelbarrow with control over IP (only one account can enter from only one IP). An over-paranoid version (the level of the First Department of USSR factories) - a computer, without wires at all in network cards - work only at the local console, data transfer on flash drives.

critical crypto data?) maybe a hardware wallet is simpler, if for work)

Try installing an antivirus with a firewall

Completely isolated from the Internet!

1) a hypervisor on the main machine, it has two virtual machines - for working with critical data and for Internet users. Perhaps also a third control virtual machine (monitoring, verification, etc.)

Pay attention to the Qubes OS operating system. It seems to be specially made for such purposes.

As an OS, read about https://ru.wikipedia.org/wiki/Qubes_OS here https://www.qubes-os.org/ they write that there is a security-oriented desktop operating system that is designed to provide security through isolation. Virtualization is based on Xen. And for the network, try pfsense according to the "router on a stick" scheme with vlans and other things like antivirus and ids / ips.