That assumes that there are never zero days or other unpatched vulnerabilities. You should not trust applications because you have access to the source. Nobody is actively auditing the vast majority of open source code, well except of malicious actors who probably have a handful of remotes in a lot of RSS readers, chat apps, microblogging clients, etc., which they can use to compromise activists and journalist naive enough to trust desktop Linux.

A lot of Android vulnerabilities are bugs in open source parsers of untrusted data (open source as in AOSP or more widely used open source libraries). But the impact is smaller because Android has proper security boundaries. If desktop Linux was as popular as Android -- we would have a security disaster of epic proportions.

IMO flatpak should assume untrusted too, unless it's a distro specific repository of strictly reviewed/controlled code (like Fedora Flatpak repo, etc).

Hahaha, oh that is a hilarious attitude, you really believe that F/OSS means that implicit trust can be granted all across the supply chain. That I have access to the source makes a lick of difference in terms of vulnerabilities or exploits that can be found.

Once in college I cited Linus's Law in an impassioned apologia for Open Source. And I was duly corrected. Because Linus's Law really has no basis in reality.

https://en.wikipedia.org/wiki/Linus%27s_law

The reason Linux has such a model of blind trust in system services and applications is because it was based on Unix, which had an even more naïve model, because mostly, it was administrators and authorized users installing that stuff, there was more top-down monitoring and control, and just a smaller incidence of naked malice.

It's the same thing we see in earlier versions of Windows, or macOS, or the Internet. Look at the Internet in the mid-90s. Was it secure, with all the open source running on it? Hell naw. Every OS and protocol is vulnerable and attacked, and every OS and protocol revises security models based on modern-day threats. F/OSS saves nobody and mitigates virtually nothing.

To answer the GP, sandboxing has to be bolted-in to Linux after the fact. Linux's POSIX model is so old and needs to be so compatible. The only sandboxing in SVR3 Unix was chroot(2), you know? The Docker support and cgroups and virtualization are all new layers, and need careful integration. Nobody says that F/OSS doesn't need sandboxing. Nobody says that F/OSS is so secure that it can deviate from better-secured models. Quite the opposite.

Android and iOS are clean starts, mostly; didn't need to be backwards compatible, so they're tuned to the latest threat models of adversarial computing as you describe. But every single app you install on Linux could be a malware, too. I have no idea what "trusted security" or "untrusted security" are, but they aren't real terms of art in Cybersecurity, and they do nothing to describe the provenance or evolution of Linux security (which often has a lot of unused mitigations such as AppArmor or SELinux that get turned off right quick.)

Ah, I thought Ubuntu only had the Debian package manager, but that's not the case anymore.

I only use Linux on servers, so the kind of stuff I need is always traditional apt-get, but yeah I always assumed using it on a PC would involve tons of snap or flatpak apps where they don't want to deal with the complexities of dependencies.

Ok, I do have one spare Linux laptop in my garage that I barely use, and I'm pretty sure how ever I installed Chromium used snap.

Hah! I stand corrected. Thank you for that. I always forget about his diving software.

…it’s just too bad that Bluetooth stack is one of the worst ever conceived, you have zero options for an alternative, and you still have to get all your help from a volunteer support team.

FreeBSD has a desktop, doesn't it?