Fwiw, I’m not sure if many people know, but IVPN natively supports Fedora Silverblue, and its derivatives like Fedora Kinoite. When I used Fedora Silverblue, Aurora, and Bluefin, it worked exactly the same as the client for traditional distributions.
Personally, I’ve found that to not be completely true. I managed to daily drive immutable systems such as openSUSE Aeon, Bluefin, and—with minor difficulties—Secureblue. My tasks and needs are NOT basic as a student, and immutable systems fulfilled it quite well.
I believe you’re saying immutable systems are most adequate for users with fairly basic needs, such as web browsing, simple document editing, etc. However, it’s still good to remember it can be used by users outside that category.
With your last point, all Linux distributions are sufficently private, so I’m not sure how the use of an immutable system decreases it?
Distrobox exists 
.
Additionally, you can simply disable visability, and thus a potential installation, of unverified flatpaks in the GNOME Software center’s settings. (Last time I used a distribution with KDE Plasma, Discover did not have this feature.)
With regards to Firefox’s flatpak, IIRC, you can just install the Firefox tarball package on immutable systems. For Tor Browser, you have the Tor Browser Launcher, and the manual installation. The same goes for Mullvad Browser. That is, installing via the manual method. In the case of Brave, it officially supports Fedora Silverblue and its derivatives.
I agree it is strange that PrivacyGuides didn’t mention anything about unverified flatpaks, even in a blog post about sandboxing utilities.
Unless new Linux users do their own research like I did , they may end up installing a malicious flatpak since they believed all flatpaks are safe or had a similar false belief.
Ultimately, ymmv. I’m aware of some users who have had success with immutable systems, and others not. But to conclude, I have to agree with this point, specifically: