This repo https://github.com/amq/firefox-debloat maintains an up-to-date list of options that should be disabled in about:config to prevent data leakage:
Google "Safe" Browsing
Sends every URL you visit to Google, this means if you hacked a site and use an unprotected web-shell to manage it, Google will know the web-shell's URL and what IP you visited it from.
Sends data reports to Firefox about your browser performance and stability
Leaks a real IP of your internet connection even when you use Tor/VPN
Encrypted Media Extensions (DRM)
A binary plugin with unknown source code that comes with Firefox since version 38. Allows you to play encrypted media content and use Netflix and others without Microsoft Silverlight. It uses Intel chipset and CPU hardware instructions to invoke communications, thus can affect your hardware maliciously without your consent.
To completely uninstall the plugin, you need to use the version of the EME-free Firefox browser: download.cdn.mozilla.net/pub/firefox/releases/latest/win32-EME-free/ or use Firefox ESR builds provided by Debian/Ubuntu and other Linux distributions.
Firefox connects to third-party services ("Telefonica") without user consent
A third-party service for manipulating "read later" articles/publications.
Everything you write in a browser search or URL box is instantly sent to remote servers