Sad situation that ignition has even been told to shut up about it.
Its probably wise to assume they can do everything that is technically possible, which is knowing results of all dns lookups, destination end points, content of unencrypted packets, encrypted packets forwarded to GCHQ for attempted decryption.
How to know source devices on ipv4 NAT?, they can scan headers of packets for identifiable patterns. IPv6 makes this easier with devices getting individual routable addresses. I think its no coincidence that uk isp's are now finally rolling out IPv6 at a time the gov wants to spy on everything.
Using a VPN on your entire WAN (router as endpoint) will likely circumvent the majority of any data collection, however with a performance hit. Dnscrypt combined with using encryption on as much stuff as possible will be much more acceptable performance.
Configuring software to make it more secure as well of course also helps, browser fingerprints and what not can be removed/spoofed, dns prefetching is something to consider if want to disable it. Prefetching has pros and cons, the cons is that it can indicate what you were doing prior to loading a page as each link on pages you viewing a dns lookup will be carried out, on the other hand prefetching can flood their logs with a ton of ip's that you never visited and could be considered if you like poisoning their logs.
The idea google and others including me are pushing is a encrypted only internet, encryption is now very cheap, cheap in financial cost and computing cost. We have aes accelerated processors, and the excellent chacha ciphers for non aes devices. http/2 can make https faster than plain http, and letsencrypt provide free certs.
Be aware IPv6 is quite effective from the off, in data volume more than 50% of EE's traffic is IPv6 and sky is about 35-40% over 6 million customers.
Also to anyone using a VPN or dnscrypt, I suggest do not use UK hosted services, which the gov will have power over.
My dnscrypt is currently hosted on a UK vps I lease, but I have managed to source hosting in france with just a few extra ms than london, so plan to move my dnscrypt endpoint to there. IN addition in the french location I lease the entire server which is somewhat more secure than just leasing a vps.
I already dont host any of my own email or www services in the uk. So e.g. I dont have to comply with uk email log retention laws. For SEO worries the french location funny enough can supply ip's registered to the UK.