Yes, that is a good start. Still doesn't protect you from anything else that happens on your phone/computer though. I personally believe that browsers are one of the greatest weaknesses with all the extensions and code that websites run on them. So address swapping in a browser is more likely than in a native app. That's why I use Nunchuk as wallet software.

bitcoin

How would you attack self-custody?

I think the main one is verifying the software. 

Got to admit that I can be lazy with that stuff. Important wallets I do but I should probably make a habit of verifying EVERY app just in case.