Some questions for yourself:
What are the capabilities of your adversary? Are they most likely going to try to phish you with infected files, are they a state-level adversary that can infect your computer with a 0-day through your browser? Would the adversary be willing to forcefully take your computer and compel you to reveal your disk encryption password?
Are you more concerned with being targeted with malware, leaving traces on your on hard disk, your communications not being attributed to you, communications not being decrypted? Are your priorities based on anonymity, security, both?
What else do you want to use your computer for? Gaming, blogging, internet surfing, programming? Or only for dangerous tasks?
I would personally lean into Kicksecure as a host and running Whonix in your scenario, if Qubes isn’t an option. To avoid compromising the host, it may be wise to never run risky software like browsers or anything that communicates with the internet, and running different amnesic KVM VMs for different activities. As a former Qubes user, you should be familiar with this compartmentalization mindset 
A choice of non-security-focused linux distro (i.e. fedora over debian) is incredibly unlikely to stop someone from getting infected with malware, especially targeted malware. If there’s a bug in a browser that gets exploited, you’re probably hosed, and you won’t know it, whether or not you have Linux Mint or Parrot, unless the browser was virtualized or sandboxed.
A user running Whonix (debian/kicksecure) on live-mode is far better off against an adversary that can deliver browser or media-file based 0 or 1-day exploits, than a user running Fedora and a raw-dogging Firefox or Chromium.
If you have a “decently high threat model”, the best ways to minimize damage if penetrated are with virtualization or preferably with an air-gapped or otherwise physically isolated machine. With the former you’re betting on your adversary not employing a vm-escape exploit, which is very unlikely. To my knowledge, there have been publicly known no reports of a VM-escape actually being used by any threat actor in the wild.
Having a low attack surface is largely dependent on you not installing extra unneeded applications, and uninstalling what you don’t need if you’re using Linux. That’s the beauty of Linux - you can make it and harden it as you want mostly.
Whonix can be used with most operating systems through virtualbox or QEMU/KVM (reccomended). You can even use physical isolation with Whonix if you’re worried about VM-escape exploits and have multiple computers to spare. Just head over to the Whonix wiki to find out more.