There’s a lot of stuff to respond to in here, so I’m gonna do it all in one big post. In the future though please direct these questions to our Discord 
.
Distro Box
a warning about this practice.
Yes, the warning is just to inform the user not to treat Distrobox as a sandboxing tool
So what is the recommended way to install Tor on Secureblue?
I would recommend using it in a VM. We recently shipped virt-manager OOTB, which you can use to provision a VM for Tor Browser. FAQ | secureblue
If the YouTube video I watched earlier was accurate, they are going to integrate browsers through Bazaar once it is ready, then flag the Flatpak versions and block them.
Correct, see the Flatpak section of this guide. That said, support for a nested, per-app user namespace toggle may be coming to flatpak according to Sebastian Wick, which is great news. 
if there are is no support it seems impossible for a beginner.
Highly responsive community support is available on the Discord.
- Install either via download or layer torbrowser-launcher via rpm-ostree
- Enable unprivileged user namespaces for unconfined_t domain via ujust (or write a Selinux policy for tor browser)
- start tor browser without hardened malloc (via ujust)
A VM is of course preferable to this, but what you’ve described is unfortunately preferable to the flatpak, because of the same issue with flatpaked browsers described here.
I believe secureblue is immutable,
you can’t modify the core system
Incorrect on both counts, please read our FAQ.
what even is layering (and how to do it)?
what are namespaces?
I have already explained that sucureblue is not yet ready for general use. It is still in an early development stage.
This is not accurate. Secureblue is ready for general use.
Some hardened OSes intentionally make apps like Tor Browser difficult to run unless you relax certain security assumptions.
We don’t intentionally make it difficult to run. It has incompatibilities with hardened_malloc and needs userns, both of which we provide convenient toggles for.
I think the developer just hate Gecko-based browsers he could easily make a ujust --choose menu for other browsers.
There’s a difference between analyzing software relative to its competitors and hating said software. In any case, what you mentioned would amount to an anti-feature that enables users to shoot themselves in the foot. See the earlier link to why using a Firefox-based browser on secureblue is contradictory.
think they have ‘moved’ away from being too strict as the project has progressed.
If you say so 
. The goal has always been the same. Sane defaults with toggles to undo hardening as needed.
that the harden-malloc needs turned off via ujust every time i use MB/TB ( vs the Flatpaks where it is turned off permanently )
Please open a feature request for this
We should put this right into the desktop file for convenience
it is way ahead of Windows/Apple.
Sadly no. For example, the most secure Windows system is well ahead of secureblue and the Linux desktop generally.
It is my responsibility to learn the OS and not the Developers responsibility to dumb it down
Making sure that hardening can be conveniently toggled off is very much in scope. We have long-term plans to make a GUI for all the toggles, which should improve convenience/reduce friction/improve user education. But this is fairly long term.
My issue is just that I really want to learn more about it, learn how to do certain things, how to make them work on Secureblue, and that is unfortunately not possible for beginners.
I strongly encourage you to ask away on the Discord