Seems that the best answer here lies in a combination of several answers. Segregating your networks, physically and logically, will go a long ways towards providing some peace of mind on the local front. There are excellent comments above from security experts as well as excellent advice here and here.
As to your specific question raised above - how do you mask your public IP address?? I use a combo of Cloudflare (the free version) with DNS-O-MATIC. It works as long as you have the HTTP proxy (CDN) active for the relevant A records.
In my case, if you ping, dig, tracert or search my URL on whatsmydns, you see the public IP for the cloudflare account. There is no visibility of my “real” public IP. I would be curious as to others experience with Cloudflare and if there are tools that allow you to snoop the real IP from that service.
Of course, these are only two services, there are others and possibly better options. YMMV.