@torjunkie. part 3.1 is already handled by torbirdy. with torbirdy installed, the view and send message setting is plain text.
part 3.3. can’t think why disabling cookies completely would be an issue. so, probably fine. however, since messages are viewed in plain text and remote content is already disabled, probably not a major risk. but, will add step to disable since thundrbird is only being used for email, not rss or anything else.
for the optional part of changing the passphrase of the gpg private key, i’m a bit confused about the threat model suggested by the guide you link. it says one may want to do this in case the private key has been compromised without one’s knowledge. but, i cannot think of a scenario where changing the passphrase of a compromised key truly helps in a meaningful way. the key should simply be revoked and retired.
for importing a public key sent as an attachment, not opposed.
the section on verifying and signing keys is more problematic since we’re dealing with anonymous users. main issue will be that, for other anonymous users, a true verification may never be a reality. but not opposed to it.