Recommended way to access .onion sites securely?

FlavoredScrabble

I have considered many options for a secure way to access .onion sites, but I have not been able to find one. In general, these are the methods I considered:

Tor Browser running on Tails
Tor Browser running on Qubes OS (Qubes-Whonix or otherwise)
Carburetor running on secureblue
Tor Browser running on GrapheneOS
Orbot running on GrapheneOS with Vanadium
Tor used as a proxy on GrapheneOS (and then Vanadium)
A router with Tor routing set up (and then Vanadium on GrapheneOS)

My thinking here may be wrong or have flaws, so please correct me if I am wrong. I am writing this in good faith in hopes of answering my question. I am not intending to spread any (m/d)isinformation. I will go through the issues I found with each one by one:

Tor Browser + Tails

Tor Browser has security issues as pointed out by GrapheneOS: "The Tor Browser's security is weak which makes the privacy protection weak." That already poses an issue with Tails, however Tails is designed to be amnesiac and so should not be linked to any personal information if used properly. Tails itself, however, has security issues, because it is based on Debian. Here is a random article about Debian security issues, but there are many like it. Besides its security issues, it isn't suitable to be used for browsing .onion sites on a regular basis, so it is not a good option.

Tor Browser + Qubes OS

Qubes OS is not a Linux distro, so it lacks some of the same security issues present in Linux distros, especially in regards to isolation. However, Qubes OS does still "emulate" Linux distros, so it isn't a silver bullet. Whonix inside of Qubes OS or a Fedora-based distro inside of Qubes OS are decent options, but still a far cry from the security GrapheneOS provides. Even still, Tor Browser is the only* option for accessing .onion sites in this scenario, and so the security issues with Tor Browser remain.

Carburetor + secureblue

secureblue provides some of the hardening GrapheneOS implements, so it is likely the most secure option as far as Linux distros come. Using Carburetor with Trivalent is a decent way to sidestep some of the security issues with Tor Browser, since Trivalent has some of the same upstream hardening as Vanadium. However, secureblue is still based on Linux and therefor has some of the same embedded security issues with Linux.

Tor Browser + GrapheneOS

Gecko-based browsers have sandboxing issues, especially on Android, so this is not a good option. There isn't much to say here.

Orbot + Vanadium

Orbot on its own has issues, so it isn't a good option.

Tor proxy + GrapheneOS

GrapheneOS has support for proxies, but it is recommended to use official VPN apps instead: "We recommend using one of these VPN apps instead of the built-in IPSec VPN support." I would like to know if this use case is an exception to this recommendation.

Router + Tor

Many routers allow routing the internet connection through Tor, however the most secure options available are based on Linux, so have the security issues of Linux, and networks should not be trusted anyways (because this approach is leaky).

Even if Tor was set up on GrapheneOS, Tor in conjunction with Vanadium is not recommended for anonymity reasons. This puts me at a loss. If Linux and Tor Browser are insecure, and Tor with Vanadium is not recommended, is there any secure way to access .onion websites? What are the recommendations? Is my reasoning flawed?

fluxcondensator

FlavoredScrabble Imo Qubes-Whonix is still the best option since the Tor Browser and your Tor connection are isolated from each other. This is also why Whonix users can potentially use javascript anonymously. (Beware enableing JS is still a security risk just not as much as with just Tor browser)

The secure isolation Qubes provides further improves Whonixs security.

argante

FlavoredScrabble I have considered many options for a secure way to access .onion sites

Secure is not the same as anonymous. I use the test version of TorVPN (not Orbot) and Vanadium. You can directly provide .onion addresses to Vanadium. Javascript, JIT and Ads are globally blocked. I only allow Javascript on trusted sites.

area51

FlavoredScrabble I have considered many options for a secure way to access .onion sites, but I have not been able to find one.

You are searching for the internet " Holy Grail". Once you realize there is no copper bottom, cast iron 100% secure way to interact with the internet, then you can work out what is best for you and nobody else.
Even Tor themselves state Tor is not magic,
Tor is anonymous not secure.
Whonix is anonymous and more secure (VM)
Qubes is secure but just not practical ( depending on which 3 letter agency is after you)
Kicksecure is more secure but not anonymous.
Orbot is a pain because as always on VPN mode it chews through battery power on a phone.
My interaction with the internet is now not via my phone, at any cost but through several laptops I have. None of which have HDD/SSDs installed, I use live user USB with Kicksecure or Tails and sometimes live user booted Whonix in a VM on external SSD. A phone is the last place I want to interact with the Internet, for one, the screen in too small.

horde

Many routers allow routing the internet connection through Tor, however the most secure options available are based on Linux, so have the security issues of Linux, and networks should not be trusted anyways (because this approach is leaky).

What? what other OS do you suggest the router OS be using, Windows? Also, what are the security issues with Linux that makes it unsuitable for running on the router?