Where to start with Linux?

I hear about incompatibility problems with hardware

This only gets better with time. When Windows Vista was released, Linux actually supported more hardware than Windows did, because it never had a comparable break in driver compatibility. Nowadays, unless you are buying bleeding edge hardware which just hit the market within the past month, just about everything works. Typically, once a piece of hardware is supported by Linux, it will remain supported until everybody who knows how it works dies. Linux may suffer with bleeding edge / niche hardware, but it shines above all others in keeping that hardware useful, even when there is no market incentive for the manufacturer to continue support.

You will run into problems here and there, but the grass isn't much greener on Windows where I have also experienced problems with oddball hardware. The only saving grace for Windows is if you buy a computer that ships with Windows, all the drivers will be installed. If you download the installation media directly from Microsoft, you end up in the same boat of having most of the hardware working, but having to tie up loose ends yourself.

So where do I start? I don’t even know how to choose hardware or what to look for.

I'd look in your closet for some old computer that you stopped using. Try it there first. Nothing to lose. If you don't have a heap of e-waste lying around, start with something inexpensive to learn the ropes, or try installing it on a virtual machine like VirtualBox. In general, just about any computer in the world will run Linux. You might just run into issues with oddball things like fingerprint scanners or wierd sensors (i.e. some laptops use accelerometers to stop spinning the hard drive if you drop it).

I’m unsure what I have to do to stay ‘safe’ on Linux.

This is easier to do than anywhere else. Linux comes in the form of "distributions." The distributor hosts a package repository, and you get all (well, 98%) of your software from that repository. This is different from Windows, where it is typical to download individual applications from all corners of the internet. As long as you trust your distributor, you are generally solid as far as safety goes. The only risks come from installing third-party software - but even then - you just apply the same logic as on Windows. Where is this program coming from? Do I trust this person / organization? etc.

The default settings are intended to be as safe as practical, and the various manuals and tutorials out there will warn you about doing stupid things. It usually requires manual intervention to make things unsafe.

Does Linux come with a trustworthy firewall/antivirus/malware detection?

It is rather uncommon to run antivirus software on Linux. This is typically only done on servers (for instance, a mail server screening attachments before forwarding them along to end users). You can install ClamAV, but this is redundant if you are getting all of your software straight from the distributor. In my humble opinion, antivirus software is a poor approach to security. Once a computer is infected, nothing on it should be trusted, including the antivirus software. Antivirus software is more appropriate as a data recovery tool than a prophylactic.

There is a firewall is built in to the kernel in the form of iptables or nftables, and there are some GUI programs for adjusting them. Again, a firewall isn't typically necessary unless you are running servers which listen for incoming connections. Typically, having your computer behind a router is sufficient. Unless your router is configured to forward incoming connections to your computer, those packets will be dropped there. Firewalls are more useful as a redundant method of making sure something like a database server, which is also configured only to accept connections from local processes, doesn't accidentally get misconfigured and accept connections from the open Internet.

I hear that ‘open source’ means people can check the code but how do I know if someone has checked the code—I wouldn’t know what to look for myself.

This is a valid critique. There certainly have been times where this assumption has turned out poorly. Still, it is a better situation than completely unverifiable proprietary software. At the very least, contributors to the individual pieces of software are looking at it, as well as the distributors which need to build and package it. There are a few layers of review taking place, even if they don't quite reach the level of a full audit.

TL;DR: If you are just using your computer for casual web browsing and shit, try out Fedora or Ubuntu. The installation media boots to a functioning desktop, and you can try things out and see if they work before committing to installing (this is not true for all distributions though).