Linux platform comprises of people who are mainly seeking better privacy and security than what the proprietary desktops can offer. But it is extremely unfortunate that the Linux Developers do not care for your security and definitely does not make it with the threat model of Desktops/Phones in mind. The majority of the Linux market share is in the server space where competent people patch and keep their server secure. It is not something you can do in a click. Most of the distros do not have basic app sandboxing, verified boot or secure boot (Only Fedora and Ubuntu does this, they get a lot of hate from the community for that).
Linux kernel lacks some of the basic security features every other kernel has. It’s important to note the distinction between Linux and Unix kernel. The BSD kernels are miles better in terms of security compared to what Linux offers. It’s not “Secure by Default". It requires you to make it secure.
I have often seen this argument where Linux enthusiasts claim the repos are a good way of getting apps instead of scouring the web for search for executables. But do keep in mind that the repos can be a single point of failure. The repos sure are a good way of getting stuff, but they need to implement good security practices, Hash verifications, Compiling with secure flags, Downgrade prevention, Fs-verity, Signature verification, TOFU etc. The way Android does it is very secure and can be a good inspiration.
That’s “Security through Obscurity”, not a very good approach of keeping your PC secure. A thing is only secure when it’s made to be secure from the ground up, like ChromeOS, Android, QubesOS, Whonix, IOS etc. “Hardening” aka “Turd polishing” does not help much.
Let’s say your threat model is that of a regular old citizen and you don’t care about all this nonsense. You use Linux just because you like the looks, can customize it to your heart’s desires. Go ahead….use Linux. More power to you.
But really where stuff gets worse is in cases where lets say a regular citizen who had been fed all those lies gets a sensitive stuff about a country abroad. Now this person does not have his Government in his/her threat model or Google in his threat model. This person will try to store all that info in his “Unbackable” Arch Linux and we know what happens next.
Misinformation can be a very dangerous tool as demonstrated above. It is important that we have the correct information and deal it the right way.
I will quote Privacy Guides Here-
These myths stem from a number of prejudices, but the source-availability and licensure of a software product does not inherently affect its security in any way. Open-source software has the potential to be more secure than proprietary software, but there is absolutely no guarantee this is the case. When you evaluate software, you need to look at the reputation and security of each tool on an individual basis.
Open-source software can be audited by third-parties and is often more transparent regarding potential vulnerabilities than their proprietary counterparts. They can also be more flexible, allowing you to delve into the code and disable any suspicious functionality you find yourself. However, unless you review the code yourself there is no guarantee that code has ever been evaluated, especially with smaller software projects, and the open development process can sometimes be exploited by malicious parties to introduce new vulnerabilities into even large projects.4
On the flip side, proprietary software is less transparent, but that does not imply it is not secure. Major proprietary software projects can be audited internally and by third-party agencies, and independent security researchers can still find vulnerabilities with techniques like reverse engineering.
At the end of the day, it is vital that you research and evaluate the privacy and security properties of each piece of software being used and avoid making decisions based on biases.
P.S-I don’t hate Linux in any way. I pointed out the flaws in it. that’s all. Much love to Linux devs for their awesome work, and much love to the community on general (Except Arch community maybe?)