> Someone "using Linux" is likely to be running various things such as SSH/HTTP/file servers, native IRC clients, random build systems (running "npm install" instills a lot of trust on the NPM repository and any packages involved). All of these things increase the attack surface.

This is a fallacy. Rather than assessing the security of the linux kernel or linux distributions you're making taking an assumption about linux users and transferring the blame for their insecure practices onto linux itself.

Think of it this way: If a random Windows user that didn't engage in such behavior was to switch to linux it's unlikely that would suddenly change. If the linux kernel and system programs are more secure than windows that make linux a good choice if that person cares about security.

Note: I'm not making a statement about the security of linux/windows, just pointing out a flaw in the above argument.

> Rather than assessing the security of the linux kernel or linux distributions you're making taking an assumption about linux users

I was responding to that assumption made by the parent:

> people who run laptops using linux probably have more security in the laptop than on their phone

The argument from the parent about using a laptop is "orders of magnitude" less safe than using a iOS or android device is just not true. It depends what you're running on each device.

When you run any given application on your laptop, it's normally run in such a way that it has all of your user's priveleges on the system; that is, it can access all files that you can access, it can look at the screen that you're looking at, it can produce any input that you can produce, it can manipulate the memory of any process that you can manipulate.

When you run an application on iOS or Android, it doesn't have those capabilities. It can only get them through security exploits. In theory it should be similar to looking at a web page. If a web page is able to read arbitrary files, that's obviously a bug in the system. If an application on your laptop is able to read arbitrary files, that's standard functionality.

You're right that from a defense standpoint, sandboxed OSes like Android and iOS are "better" than your average laptop. Granted. The point I (and probably your parent comment) were originally trying to make is that the amount of data stored on a phone makes it a very good target for vulnerabilities like these. None of my banking, chat, email, etc information is stored on my laptop because I access these things through the browser. That's not to say that this provides perfect security, of course, but it means someone can't come in with a zero-day that gets root on my system and just one-off uploads all my databases.

Apps that keep all this data locally, as is common on phones, are dangerous. Add the fact that most people have a phone as their two factor and you have a really bad situation when a phone is compromised. This, alone, makes phones an attractive target.

> because I access these things through the browser.

Meaning the session cookies are stored on your computer, meaning I can steal those and then do whatever nefarious things I want to do off-box. Locality is a myth, attackers don't care about that. They just want the data, and finding/weaponizing bugs is the hard part.

Regular people keep copies of banking, chat, emails printouts on their "My Documents", even if they use Web applications instead of native ones for those services.

Speaking of native applications, usually many regular users still use native native applications for email, chat, text processing, spreadsheets, etc.

So while you specifically might take care of having a very clean $HOME, most people don't.