disable relaying

In normal configuration, Syncthing will always connect to relays, as it cannot know, if other devices need them and will connect through them to it.
To be totally private (to the extreme), disable relay and global/local discovery, set the listening address to something explicit, like tcp://:22000 instead of default and set the addresses of the remote devices to their hostname/ip address and port (like tcp:// instead of dynamic. And disable usage reporting and auto upgrade (if you really want).
Then the only connections Syncthing will ever make are direct connections to the other syncthing devices.

stubby for DNS privacy

Aber: im Networkmanager setzen, weil Networkmanager dnsmasq nutzt und dieser an der auf Anfragen wartet.
Prüfen mit
$ ps auxw | grep dnsmasq nobody 7781 0.0 0.0 60192 3720 ? S Sep11 0:00 /usr/sbin/dnsmasq –no-resolv –keep-in-foreground –no-hosts –bind-interfaces –pid-file=/run/NetworkManager/dnsmasq.pid –listen-address= –cache-size=0 –clear-on-reload –conf-file=/dev/null –proxy-dnssec –enable-dbus=org.freedesktop.NetworkManager.dnsmasq –conf-dir=/etc/NetworkManager/dnsmasq.d