That’s good to know, thanks 
Basically then I’m going to to follow all the post install recommendations, and use it as is (other than maybe adding uBO lite and my VPN app. Sounds like I don’t need to worry about additional sandboxing. I assume I should apply all updates as soon as they become available, and they are updates from Fedora, not SB - and they will all play nicely with SB tweaks?
I am sorry if I got that wrong.
There used to be a table with all the Vanadium patches and marking which were/weren’t included and why, no? I can’t seem to find it…
A bit of feedback for @RoyalOughtness from a linux noob’s perspective:
I think the post install documentation could be easier. I’m getting lost in the steps required
A few examples:
ujust enroll-secure-boot-key
It rebooted to BIOS and I had to select options on a menu, I think I’ve done it right but not sure how to verify.
GRUB
Is this a password required for modifying boot entries (order) in the BIOS? Not really sure what the expected result is. However I did notice the disk encryption password that I was having to enter on boot is now not coming up anymore for some reason?
I skipped the wheel section and went on to do bash lockdown and LUKS TPM2 sections.
When I now try to do the wheel section - adduser admin, I get the response
User add : Permission denied
User add : Cannot lock /etc/passwd - try again later
Maybe it’s because I didn’t do the list in order? Also it mentions about rolling back to a snapshot but wasn’t sure how to create one. Also in discovery software centre its not showing anything and saying not connected when I am.
Maybe it’s just a sign that if I can’t navigate through the post install instructions then I’m out of my depth (I know that’s the case really!)
Why was the OP’s post flagged?
I had a message:
Your post was flagged as spam: the community feels it is an advertisement, something that is overly promotional in nature instead of being useful or relevant to the topic as expected.
Not sure what in relation to though
In my humble opinion, you probably should’ve went with something easier to use, like openSUSE Aeon for example which requires little to no maintenance and is quite fine for Linux beginners.
Well, it certainly wasn’t spam. Perhaps someone accidentally flagged the post? I’m not sure, but it’s certainly not an advertisement.
I may yet still give it a try. What does it mean by " Aeon is still in a Release Candidate stage!" ?
It’s not officialy released, but it doesn’t matter because it works flawlessly.
Yes, but it’s pretty much finished, according to them:
RC3 may be the final Release Candidate before Aeon’s official release. There are no major structural changes planned to the core Aeon OS, just regular improvements as upstream versions develop and our community contributes to new features and packages.
Release Candidate is simply means that it is almost ready for official release and is only making minor changes and improvements. If you saw the above post, that means it could get released soon, maybe this year or next year. It’s fine to use right now, but if it was in Alpha—it would probably not be a recommendation.
Cool, thanks for clarifying
Out of interest is there anyone here associated with any of the suggested options in the thread other than Qoijjj ? (not that that would be a problem, just wondered)
The only thing I should let you know is that its popularity is not like Ubuntu, openSUSE Tumbleweed or Leap, Fedora, etc. Thus, there won’t be many people to help you troubleshoot if you encounter issues.
Personally, I would use it anyway, and for your purposes there shouldn’t be any problems with it being in Release Candidate stage.
Nope.
There are plenty of people that are willing to help, including the founder itself:
Not at all.
I agree and I’m sorry about that, sometimes the only way to know for sure is to try, nevertheless I am grateful for all the advice I have been given 
That’s not what that table was. It was a list of vanadium patches and their best-effort policy configuration that we were applying at runtime to Fedora’s chromium.
We’ve long since moved to shipping our own chromium, which allows us to simply drop in Vanadium patches: GitHub - secureblue/hardened-chromium: A hardened chromium for desktop Linux inspired by Vanadium.
Also, even vanadium doesn’t just blindly “degoogle” like ungoogled-chromium does, which is a good thing. Some of the ungoogled-chromium patches are so tunnel visioned on removing google that they remove security functionality. For example, they disable browser time validation via a network synchronization service, which is used for cert validation and is a terrible idea to disable: ungoogled-chromium/patches/core/ungoogled-chromium/disable-network-time-tracker.patch at 61b271f22b9efc91bfe3e69ee6f25f2dad87afa4 · ungoogled-software/ungoogled-chromium · GitHub
The postinstall steps for secureblue would need to be executed on Aeon as well in order to secure the system. secureblue is simply neatly documenting those steps for user convenience, they’re largely not unique to secureblue.
Plus, some of them you would wish are available on Aeon, like the ease of nvidia configuration on secureblue/silverblue compared to aeon.
Aeon isn’t analogous to secureblue. It’s analagous to Silverblue. immutability/atomicity on its own isn’t a security feature.
If there was a hardened image of Aeon you were recommending, your post would make more sense. But this is apples and oranges. You’re comparing a hardened image of a major distro to an unhardened release of a different major distro, all of which would need similar postinstall steps executed to fully harden.
So, if you do go with opensuse Aeon, don’t forget to follow equivalent steps to secureblue’s postinstall steps after installing