I’ve been using Nix as my daily driver, the atomic system/package manager were some of the main things that attracted me to it + avoiding telemetry of proprietary OSes and software freedom.
While I do know however that, having a strong secure boot and sandboxing on Linux is something difficult (and it won’t be as strong as other OSes) I still wanna know what would be recommended, since I want good malware protection (basically, ensuring that if an application gets compromised, the malware will stay contained in there and not escape to the whole system, and after reboot the malware will no longer be persisted, Man in the Middle/Evil Maid attacks are something not so likely on my threat model but I feel having a protection against these would be good as well)
and, one thing I thought considering NixOS reproducibility:
is there already a privacyguides community configuration.nix? I feel this would be a good project to make, a configuration.nix for the maximum privacy and security as possible that everyone could just copy and get going on their system
About sandboxing, really the only way is to wrap everything with Bubblewrap. This is very difficult though and will take a lot of trial and error to make your applications work properly in the sandbox. There is also GNU Guix. It has proper container support that can be wrapped any application. IMO it is a lot better than NixOS’s implementation. NixOS does have somewhat (?) of a container implementation: NixOS Containers - NixOS Wiki.
Of course, there is just normal Flatpak too with can then be used with Flatseal. Though, it does somewhat defeat the declarative nature of NixOS.
Regarding privacy and security configs, there’s a hardened.nix profile in the nixos repos:
I also enable MAC randomization, sudo-rs, various wayland envars, and automatic updates in my own config, but I also disable some of the settings in hardened.nix which break functionality I want: