The only linux distro that has meaningful security is android.
Linux sandboxing scene is completely broken for end-user usage, it’s only good for CICD pipelines. If I want to open a file with a program, I don’t want to see an empty drive, neither do I want to kill the program - there should be a proper interaction between the user and the program, like mobile OSs do. Flatpak does have something like that, but only for files and not even that is seamless (plus flatpaks mix packaging with security for no good reason, imo).
You literally run basically everything as the same user, every document, family photo is saved, and thus available for r/w by any process, as those share the exact same privilege. This includes that npm install with millions of dependencies as well, that could literally install a screensharing malware with clear access to any internet site and you wouldn’t even notice.
The age-old xkcd is still true: the only thing secured is being able to install a video driver.
Flatpak works fine for this. The discord flatpak only has access to my downloads. If I want to tweak that, I run the flatpak customizer UI. It's sort of vaguely annoying to have to restart the app.
Or I just run it in docker and only mount what I want. No VM overhead since cgroups are native.
Linux sandboxing scene is completely broken for end-user usage, it’s only good for CICD pipelines. If I want to open a file with a program, I don’t want to see an empty drive, neither do I want to kill the program - there should be a proper interaction between the user and the program, like mobile OSs do. Flatpak does have something like that, but only for files and not even that is seamless (plus flatpaks mix packaging with security for no good reason, imo).
You literally run basically everything as the same user, every document, family photo is saved, and thus available for r/w by any process, as those share the exact same privilege. This includes that npm install with millions of dependencies as well, that could literally install a screensharing malware with clear access to any internet site and you wouldn’t even notice.
The age-old xkcd is still true: the only thing secured is being able to install a video driver.