I place little value on someone’s educational experience anymore since a lot of this can and is usually learned from nearly any place on the web or dark web.

It seems that for an evil maid attack to occur, someone would need to leave the device unattended, specifically with their admin/sudo account logged in so they can create the access they want later. That is, unless they discovered an exploit in the system that enabled them to gain that access by some other means.

The three best ways someone would be proactive against this attack are:

• never leave your device logged in and unattended without some sort of passcode system being necessary to get in and execute commands/programs.
• never leave “guest” accounts active on your device, even if they don’t have admin permissions. This can make it easier for someone to find other exploits to gain admin access.
• always separate your accounts. Have a dedicated account for admin level escalations and use it only for that purpose and nothing else. If an attacker is to somehow get your attention away and leave your device unattended, at least this leaves them with no admin access on your main account

If you suspect your device has been compromised, the best thing to do is to shut down and disconnect from the network (unplug Ethernet cable and consider removing the WiFi card; even with the device powered off) and have a professional inspect it. I say that because even if you reinstall the OS or even get another OS, there’s no way to tell if something hardware was added to allow intrusion if we’re worried about physical access being compromised to the device.