My understanding of Bedrock Linux's security concerns are addressed in this FAQ entry [0]. In the decade or so I've been working on Bedrock, I have yet to come across any situations where the differing assumptions between distros results in a security issue. Historically, every time assumptions differed in a way Bedrock did not handle, this resulted in things locking down rather than opening up. For a concrete recent example, Void Linux's build of OpenDoas updated recently [1], which resulted in removing Bedrock entries from the $PATH.

The primary concern I personally hold is in Bedrock's code to bootstrap parts of other distros, which does not currently verify the initial set of files used. I am hoping to address this with Bedrock's next major release (0.8.X) [2].

When Bedrock is far enough along that the architecture/code churn slows, I plan to seriously investigate the possibility of independent security reviews. For the time being, if someone claims heightened security needs, I usually redirect them to Qubes OS [3].

[0] https://bedrocklinux.org/faq.html#security. [1] https://github.com/Duncaen/OpenDoas/releases/tag/v6.8.1 [2] https://github.com/bedrocklinux/bedrocklinux-userland/issues... [3] https://www.qubes-os.org/