As an IT professional I cannot honestly do this without going much further (like teaching them about using an Open Source OS instead of Windows, the dangers of modern hardware components like PCI NICs, BIOSes that may be remotely infected by malware/modified, keyloggers, TEMPEST, defeating Truecrypt, PGP, Bitlocker with memory dumps etc.), way out of scope for a normal person.

I don't think it's feasible for most IT-savvy people to access the Internet using commodity hardware (regardless of software) without exposing themselves to mass-surveillance or at least inherent weaknesses that may be exploited for that purpose at some point when secure client-side encryption becomes more widespread so that just snooping traffic at major backbones is no longer sufficient.

As a result, it would feel wrong to give people a false sense of security by teaching them about client-side encryption only.