All of the below is subject to your knowing exactly what your target samples are and adjusting all the moving parts accordingly.
How do researchers go about studying these things without having to
illegally purchase them?
Setting up a honeypot is a common way to do this. Under the appropriate conditions and as means to capture malware for study in an appropriately secured environment, that is. Take a thorough look at the linked reference, but as key points I would highlight:
- Setting up your honeypot safely in an infrastructure that is appropriately isolated and purpose provisioned. That is, never violating the terms of service, should they apply.
- Make sure to not have conflicts of interest. Any evidence you obtain(in the course of a formal cybercrime investigation) by way of a honeypot is in a very complex legal juncture that I won't even dare to address. Never utilize hardware or software from a third party or your employer to perform your analysis if doing so violates applicable policy, company or otherwise.
Here is a diverse collection of honeypots you can test out. Again, nothing beats knowing your target malware and provisioning an appropriate environment(platform, isolation, firewall rules..) to capture a sample safely.
What technical precautions should be taken to ensure I do not harm
myself (my identity)?
You question is rather broad, and there are many moving parts. Practical Malware Analysis is a wonderful place to start (perhaps the best) regarding both analyzing malware and setting up a basic safe environment to perform your analysis. It also contains many samples that have been slightly changed to no longer be harmful, while maintaining malicious "type" behavior and obfuscation/packing.