There is a way that is 100% ban safe as far as I know, by making a new "clean" nand backup prior to every time you want to use homebrew/CFW/NSPs/etc, staying offline in airplane mode while using that software, and then restoring that clean nand backup prior to ever going online.
It's a pain in the butt but it works. I've been using Hekate since the first release and I'm still not banned. Additional precautions must be made though, if you want to be "100%" safe. There's no evidence that Nintendo is banning based on this (at least YET), but theoretically they could validate boot0 against a hash, and if it fails, they'd have good reason to suspect you're using autorcm. So you should get a good quality jig so you can leave autorcm off. Similarly, if you update without burning fuses, while Hekate (and CFW) can be used to bypass that check, if Nintendo uses that fuse count elsewhere in their telemetry they could ban you based on that.
So what I'm writing I think goes against some recommendations from this community, but I think the only "100%" way of avoiding bans but still being able to go online without buying a second switch, is to use "clean" NAND backups, don't avoid burning fuses, and don't use AutoRCM or "pinhax" while in stock.
That being said, I haven't been banned, and I do use AutoRCM. If I get banned, that will be why, but it's a risk I've been ok with taking so far.
EmuNand will make this much easier, but I don't trust SX's implementation.