It's a terrible idea to keep a credit card linked to ANY service, honestly. And really, if you can, definitely look into options (Paypal, Privacy.com, other credit card protective services) to protect. Ultimately, the best option is to use something like Paysafecard or a disposable/prepaid credit card.
As for your other things outside of GOG... first off, you only really benefit with a VPN if you're trying to evade censorship or if you're visiting a lower-level site that you don't really know well, as all it REALLY does is protects your IP. It's not really a privacy tool as all the Youtubers and VPN providers claim, though they do help on sites that still haven't enabled HTTPS yet (which isn't many, at least at higher levels).
Vivaldi is a solid browser option but I wouldn't call it "security oriented" per-se, not by default. Using 2FA is smart and in terms of AV, more often than not, paid solutions are bloated and give you features you most likely will never use. I use Windows Defender and while it's not quite Kaspersky-level good in terms of detection and features, it's solid enough as I don't visit sketchy sites and I'm cautious with emails and downloads. Plus, it has features to guard against most ransomware and to protect against some zero-day exploits so it pretty much has everything you truly need without much bloat. Also, be sure you run with a limited (non-admin) local account if you have Windows, as this helps a bit in preventing malware from running on your PC; Linux usually does similar by default. You also need to ensure you keep your OS and all your programs up to date; I recommend checking all of them once per week (or use a maintenance toolbox to help; I recommend Glary Utilities).
Those aren't the only ways you can protect yourself. You have to make sure your browser is configured properly as well. Ensure that you use HTTPS Everywhere (as Vivaldi hasn't enabled the ability to force HTTPS connections, at least last I checked). If you have the option, definitely enable DNS over HTTPS (which encrypts your DNS traffic, hiding it from snoopers and protecting against DNS-related MITM attacks), using a service like Cloudflare's 1.1.1.1 or Quad9; the former has an option to filter out malware domains at a DNS level, whereas the latter automatically blocks malware domains and is a bit more private overall (though 1.1.1.1 is slightly faster, not to the point of being noticeable though). It'd also be wise to switch your OS DNS settings to the same service. Additionally, I recommend using both Adguard (enabling their security lists alongside the ad and tracker blocking) and Privacy Badger.
Also, it's a bit more advanced but you should definitely make sure your router and modem are regularly updated and have proper security settings enabled. It'd also be wise to make sure you start using a local password manager (I recommend KeyPass, as it's open source and powerful), storing the encrypted backups of your password databases on at least two or three storage drives. Oh, and it's a bit more advanced but it's particularly useful if you're using a laptop and take it out of your house regularly: definitely look into encrypting your PC. Windows Pro versions have Bitlocker, which is the easiest, but if you don't have that, VeraCrypt is a good option. Again, that's a bit more advanced so I only recommend messing with that if you do regular backups of your data (you should) and definitely watch a guide a few times just to be on the safe side.
There's no silver bullet for security or privacy but ultimately, users can't really do anything on the server end. They can, however, ensure that their PC, browser and internet connections are as secure and private as possible. That said, you'd be surprised how many banks actually have pretty chump security compared to some high-end tech companies. I even remember a story about how former Jagex CEO, Mark Gerhard, used to work with bank cybersecurity and was astonished at how much stronger that company's security was than all the banks he ever worked with. That was a while back so I'm sure banks have gotten better with it but yeah, it's not a one size fits all situation. GOG has yet to have been hit with any sort of leak or security scandal (other than the leak of Cyberpunk's source code but that's a different situation).
As long as you're doing all you can, I wouldn't worry about the rest. There's no perfect solution and never will be. It's why physical purchases are typically a lot safer (and one of a million reasons why I will always prefer in-store shopping when it's possible).
EDIT: If you are looking for help with any of this, you can typically find it on Youtube and other video sites. I personally recommend
Youtube) as they have a boatload of privacy and security videos, including a series of free course videos. Definitely one to binge if you're interested in this stuff but there are also others so pick your favorite.