This post by the lead dev of Secureblue (which I'm currently using on one device) does a great job of pointing out the sobering state of desktop Linux. It also gives a nod to the security posture of ChromeOS which number of other posts elsewhere seem to do as well. The discussion here outlines the third party privacy of ChromeOS and touches briefly on the first party privacy to a small extent.
Taking this information together, I'm trying to work out where the overlap of the appropriate threat models for each begins to separate. @Wonderfall makes a good point about not using an OS if one distrusts the first-party responsible for maintaining it, but @alex also makes what I would consider a good case for ChromeOS regarding the function of the Google account used being largely up to the user (regarding privacy) and reiterates the security benefits (fast updates, verified boot, sandboxing, etc). If a user is starting with security and then adding privacy to the degree possible, I feel like reading between the lines would say that ChromeOS should be the go-to for security conscious users who can fit their workflow into it. Still, I am not clear on how it compares with Secureblue for those threat models where surveillance (lapses in privacy) could feasibly lead to e.g., targeted attacks or harassment (compromised security).