I believe your confusion comes from the following line: "secureblue does not claim to be the most secure option available on the desktop."
Which is simply their acknowledgement that more secure options like Qubes OS exist. Note, however, that Qubes OS is not based on Linux, but instead on Xen.
If you don't want to stray away from Debian, then I don't think there's anything better than PikaOS. It's like Nobara but based on Debian instead.
It's a relatively small distro, community-wise. But it has been around for some time, so I trust its longevity.
Other than that, as some other have mentioned, could be Pop!_OS.
If you're willing to stray away from Debian, then a lot of other options become available. But I digress.
Bad advice, my apologies. But, I've had great success with LLMs to tackle such problems. Be cautious. However, if you've got no time to waste, then it might be your best option.
Depending on how you define immutable distros, you absolutely can.
For example with Fedora Atomic, which most peeps refer to when talking about immutable distros, you absolutely can do rm -rf /*. At best, it might require you to include the --dont-preserve-root flag (or something like that) to actually start the process. And, arguably, it ain't as satisfying as doing it on say Arch due to the many error messages. But you'll end up breaking your system.
Immutable distros aren't indestructible by definition. Even a dumb user can break it without ill intent; I know cuz I have done so myself 😅. However, it does offer better protection. Furthermore, there are multiple issue trackers on GitHub that indicate that the developers want to iron out these things and perhaps convert them to features instead. Like, wouldn't it make sense for an immutable distro to 'factory-reset' whenever rm -rf /* is invoked?
Could you edit your post to include system specs?
I was intending to, but it got very unwieldy real fast. I did provide some very basic pointers, but nothing earth-shattering. I suppose this is a decent read with the acknowledgement that the author has primarily read up on Fedora Atomic (and not the other 'immutable distros). Which ain't bad for our use as Bazzite is derived from Fedora Atomic anyways.
what does immutable mean?
Strictly speaking, 'immutable' means unchanging. For Linux distros, this means that (at least some part of) the OS is read-only.
On any distro, you could invoke the chattr +i path/to/file_or_directory command to make a file or directory of your choosing immutable. Thus preventing you or anyone else from changing that until it's revoked.
The so-called 'immutable' distros employ this at the OS-level. However, their implementations (and the implications thereof) may vary significantly amongst them, unless they share some 'heritage'.
Going over the many different implementations and their implications is out of scope for what this comment intends. Especially as the 'immutable Linux landscape' is fast moving. Thus, potentially making it outdated the very next landscape-defining change.
While it could be functional as a cursory watch, it doesn't seem that Michael Horn has done a good job investigating the subject matter. So, no, I actually disagree with it offering a good explanation. Granted, I couldn't find any video that does this subject any justice; more often than not, they just tend to overgeneralize or oversimplify.
Consider taking a look at this criminally underrated Linux-first vendor: NovaCustom. Prices aren't cheap, unfortunate. But it boasts hardware from about a year ago. Furthermore, NovaCustom takes Libre very seriously: from supporting coreboot to offering blob-free WiFi-cards.
No worries fam. And thanks for clarifying! With that clarification, I think I've found what has caused the confusion for me.
Bazzite, even if it's ultimately derived from Fedora, is actually not closely related to ('traditional') Fedora, but instead to Fedora Atomic.
Most of the people that have been recommending Fedora, actually meant the non-Atomic variants. And while this might seem minor, which arguably it is, it is important to be conscious of this distinction.
('Traditional') Fedora behaves a lot like most other distros. Fedora Atomic, instead, introduces a new paradigm. Bazzite goes all-in on this new model and we might even refer to it as next-gen (if you will). Though, it's important to mention that the next-gen part is only true within the context of Fedora. This is because Fedora has been the only distro to have clearly pronounced their ambitions in this direction. They even reiterated this in their Fedora Strategy 2028 and I quote: "Objective: Immutable variants are the majority of Fedora Linux in use". (Note that atomic is a rebranding of immutable)
So, within the context of Fedora, even if I don't see the traditional model being sunset anytime soon, the atomic variants do seem more promising in terms of longevity.
Personally, I'm a huge fan of Fedora Atomic; in particular the uBlue projects, so that includes Bazzite. Therefore, I absolutely welcome you on board for Bazzite. But, it's important to be aware that Bazzite is not representative of what ('traditional') Fedora is (or vice versa); it's not a "flavor".
I think your response has so far been the most comprehensive. Thank you so much.
It has been my pleasure :D ! Thank you for reading through all of that 😅.
"Tinkering" in my case is pretty broad. You're correct when you suppose that I like to mess with UI aesthetics and workflows. The other misc tinkering I more mentioned in case there's some distros that are unsuited to working with strange or niche programs (such as the media encoding and physical media management stuff I mentioned). It sounds like that's not really much of a problem though. Anyway what counts as "niche" is very subjective so probably wasn't that helpful to mention.
Thanks for the clarification!
I have not heard of Bazzite.
Interesting. Its fan base can be rather vocal. Furthermore, it has been enjoying a very healthy amount of media coverage. Digital Foundry dedicated a video on it. And even LTT briefly mentioned it recently.
It kinda looks to be perfect if I end up going with Fedora (It's the most recommended so far).
I didn't quite capture the intent of this sentence. My bad. Would you mind elaborating/clarifying/explaining? Apologies if I'm coming across as obtuse 😅.
It seems to be quite new
Correct.
and I don't want to jump on just for it to be a flash in the pan.
I understand. I absolutely agree with you that e.g. Fedora's future is more certain than Bazzite. Even if the latter recently reiterated their continued support.
As I understand it though, even if it is, it's easy enough to change distros.
FWIW, the complete Fedora Atomic ecosystem -that Bazzite is part of- allows changing distros with a single command. The only limitation being that the designated distro has to be part of the ecosystem as well. So, even if Bazzite would implode one day after you've switched to it, you could just 'rebase' to (say) Fedora Kinoite.
Others have said to not be worried about locking oneself in
Agreed.
and to just jump in and try.
Kinda. It's more nuanced I think 😅.
Also not a fan of "Gaming Mode" style UI but I guess I can just not use it.
Exactly. Bazzite on desktops/laptops defaults to the DE after logging in. So, as you've noted already, you don't have to use it ;) .
Again, thank you very much for your detailed response.
You doubled down on the kind words. I appreciate it. Thank you for being you!
To add onto what N.E.P.T.R said, it is technically possible to make a custom amalgamation of Bazzite with secureblue's hardening. However, it would be neither here or there. Some discussion of it can be found here. IIRC, it was ultimately deemed counter-intuitive as a gaming-distro inherently conflicts with a hardened one.
Finally, we shouldn't disregard the technical part of this; it's IIRC one of the reasons why the Bluefin-variants of secureblue were eventually disbanded. It frequently had a lot of interesting bugs that were simply not present on other secureblue-images. This isn't on Bluefin either, as the non-hardened edition worked as you'd expect.