I've been a part of this community for around two years; mostly a lurker, but I've shared my two cents whenever I think it's needed. Recently I've seen a significant uptick in paranoia which isn't warranted; no, you aren't getting a CD. Go get your pack.
People who get popped off usually (from what I've seen) have major OPSEC flaws. If you play this game by the rules we all know and love, you won't run into problems. This is especially true for those ordering personal amounts of any substance.
Take a deep breath and relax. I've been there too: those moments of paranoia are all too real for all of us. Of course the NSA and FBI are scary organizations which overstep their legal boundaries; but they aren't wasting their time on you.
TLDR; relax. Follow basic opsec and you will be okay.
Your OpSec can be on fleek...but is the vendor's? I think we have seen plenty of examples of the buyer doing everything properly, yet the vendor is keeping a db of customers. Not only is that bad OpSec, they are kept in plain text, unencrypted on a USB drive somewhere.
Just like when these big companies get hacked and we eventually discover, often months after the fact...that they didn't salt their user's passwords and PII. You use a different password for each account, you did your part, right...?
You can still be part of the collateral damage that ensues...after the organization, you expected to handle your data securely, gets exploited due to someone elses improper implementation.
The same applies to vendors. Are some of them saving names and addresses in clear text on an unencrypted drive? Which in turn, could lead leo to the buyer and yada yada yada.
Keep that scenario in mind...it happens more often than one thinks. Just food for thought.