I used Secureblue, it is an interesting project. Most what they do is change some switches, set configs, disable stuff from loading etc.
They also include bubblejail, a pre-release but very cool way to sandbox applications that need broader access, most importantly namespace creation for browsers and electron apps. Likely VPN clients too.
They also make hardened_malloc work on desktop linux, which causes issues, the implementation is kinda hacky and incomplete, and there are simply a ton of UX issues with it, like excluding apps while still keeping security.
Android uses a very slim Kernel, secureblue uses the Fedora kernel and just prevents stuff from loading. This will be less secure.
Because they did some controversial things that are not reversible on Fedora Atomic Desktops (like Silverblue, Kinoite etc, which they are based on) I switched to vanilla Kinoite and harden it manually. It is kinda fine.
Linux and Android are complex. I could write 1000 words here. Google has basically replaced everything from a regular Linux distro with different methods.
- bionic vs glibc
- dalvik vs native libraries
- userspace filesystem drivers (fuse) instead of kernel drivers
- the entire way you boot, have accounts and separate systems is custom
- the way apps are sandboxed is custom, uses SELinux (like Fedora) but for every app, on Fedora all user apps run unconfined
- the way updates work for apps and the system is custom and very secure
- integration with the firmware is waaay more advanced, also because of hardware like the secure element. You may only get this on a recent Novacustom/Nitrokey Laptop with Heads Firmware, intel bootguard and a TPM, may still be less secure
- protection of memory
- protection of the USB port, and there are no other ports to use (unlike laptops with thunderbolt, SATA, PCIE and others with huge attack surface)
- Core VPN functionality integrated into the OS, VPN apps dont need broad access (like blocking network, always on)
- Captive portal and other systems being sandboxed to protect against insecure networks
- 3 profiles easily accessible within the owner profile, allowing easy separation also including used VPNs/i2p/Tor and DNS
- Android running entirely without root. We are trying to make this work on desktop Linux too, but there are always issues
Desktop Linux is WAY more customizable though. Like, it is extreme. Backups, linking folders, accessing various external drives, encrypted external drives, virtual machines. And the app ecosystem is simply different, Android is still not suited for most production jobs (office, mail, content creation, data analysis, science, etc)