Is there a safe way to handle USB drives on Linux?
As far as I know their are two main threats:
What are the most effective and pragmatic way’s to prevent both things on Linux?
And am I right with my assumption that an USB drive probably can’t harm a Pixel running GrapheneOS, without a zero day exploit or very advanced malware?
The Qubes sys-usb model has to be the most secure. USB controller devices are isolated to a dedicated VM when mounted, devices must be manually attached per instance to access any other part of your system
Probably impractical overkill for most threat models, but it’s reasonably secure
You could just spam the super/windows key if you fear a USB device will act as a malicious input device. If you don’t want to spam, you could create a script that executes every time a new USB device is detected on the system to do this for you.
Spamming the super/windows key will cause you to escape out of any input box – like a terminal – which will prevent the payload from properly being executed. But this method would only work if the USB device began acting maliciously immediately after plugging it in.
A USB data or port blocker.
That depends on your threat model.