While it is possible, it is definitely not easy to setup right, particularly if you want hibernation to disk properly setup. There is certain requirement on the disk layout setup, use LVM, setup TPM, setup bootloader parameters, setup hibernation and wake.... any step is wrong you have to use a boot drive to rescue, and it is very hard to fix if you don't have LVM in the first place. For example, Arch Linux's archinstall won't setup this whole suite for you.
This is really nessary if you are going to take the computer outside and it might get lost stolen. You definitely don't want other people to read the content after it was lost. I think this kind of security is default on Windows / Mac / iOS / Android right now already, but Linux is still so hard.
You get GUI app sandboxing with Flatpak these days.
Ubuntu is going to strong-arm you into Snaps, the snap-ectomy is nontrivial, and they have a habit of reappearing. Some people don't have a problem with Snaps - so non-issue if you don't care. Otherwise I'd go with a downstream distro that removes them: pop os, mint, or even upstream (Debian).
XFS is an extremely mature file system if you don't need anything fancy, and you're probably less likely to lose data compared to $proprietary. The other major ones (ext4 and btrfs) are probably just as good, but XFS honestly does stand out in terms of maturity and simplicity.
A common trap is trusting the installer with partitioning. My last Ubuntu installation ran out of space on EFI. 5gb is overkill, but given how abundant disk space is, who cares. Separating / and /home is a good idea for rescue/reinstalling but without btrfs subvolumes (Ubuntu uses btrfs subvolumes by default) it becomes a bit challenging to figure out how to dice things up: e.g. docker containers are stored in /var, so they can deplete your system drive space. Last time I didn't use btrfs, 200gb for / never caused issues for me.
Oh, and Windows has a habit of removing other boot loaders from its drive. If you dual boot, use a different disk for the entire installation.
That's really the extent of the gotchas I'd give to a person literate enough to install an OS. I would slightly urge towards immutable (Silverblue), but Ubuntu is just fine.
In my humble opinion, consider Fedora instead because of Ubuntu and Snaps. You’ll have the flexibility of Flatpaks, RPMs, Snaps if you really want, etc. Some suggested immutable distros (Silverblue), but you can adopt a containerized workflow incrementally with regular Fedora so that you don’t run into its sticky corners.
But.... Relative to MacOS Ubuntu is certainly not as user-friendly. It's worth noting that Linux distros will force you to confront the command line at some point. If you come from OS-es where the most technical thing you have to do is pop open settings to set screen-share permissions or "right-click -> open" to install a package, you'll notice a stark difference.
If security is a major concern, bwrap or firejail can easily provide that extra sandboxing.
NixOS and GuixSD make it quite trivial to sandbox applications in a declarative fashion using firejail.
An alternative is to use e.g. Flatpak, which gets you sandboxing for free via bwrap. But I am not a fan of application images that bypass package management.
Additionally, any thoughts on snap? (presently looking into Flatpak)
Containers also provide good development sandboxing. With distrobox you can run many distributions inside your own within a clean and isolated environment.
Another benefit of Mint is a well-attended user forum (with swell tech support). That can important if your technical problem is rarer... with audio, say. (NOT a Linux strong-point.)
Unless your uses are bog-standard, I'd look for similar features to rely on in any distro.
Booting from Grub can be 'interesting' at times, if there's a weak point.
Generally the out-of-the-box experience of Ubuntu and Fedora is at least as secure or better than that of Windows. macOS tends to lean towards a more hardened configuration. Matching that is possible (Android being a great example), but will require some work on your part and is generally not worth it unless you download and run untrusted software.
And one area where desktop Linux really shines is how easy it makes it to only limit yourself to software you can generally trust: that in the default repositories. If you use a well-maintained distribution, keep your system up to date, and only use software that your distribution delivers, chances of your machine getting compromised by anything other than a strictly targeted attack are very slim.
It's understandable that eventually you might want to run third-party software. In that case, I'd definitely advise against running random scripts or commands from the Internet, especially the `curl | bash` kind, and adding third-party repositories to your system unless you absolutely trust their source. This and running out-of-date Internet-facing software are the most common attack vectors.
For third-party software, consider using Flatpak (desktop) and Podman/Docker (server). These sandbox software by default, limiting the damage it can do to your system. With Flatpak, always pay attention to what permissions your application will be granted (those are listed at installation time) and try to limit their scope as narrowly as possible. You can manage the permissions with `flatpak info -M` and `flatpak override`. There's also Flatseal, a GUI alternative which I personally haven't tried.
One more thing to watch out for: extensions. Some software, such as Visual Studio Code and derivatives, has very lax policies on extensions. Even if you install it from a trusted source, but then install an untrusted extension, the extension will run with full access to your files! If you're using such programs, I recommend installing them in Flatpak and limiting their permissions as well. I've been burned by some VSCode extensions in the official marketplace that immediately contacted Chinese IPs upon installation.
Of course, those are tips for those looking to get started. Long-time users interested in hardening should definitely look into SELinux, seccomp, namespaces, dm-verity, and their associated utilities.
If you've got a spare drive then install it on that leaving your existing install alone, or if you have spare space on your existing drive you can shrink a partition (backup important data first) and set up a multi-boot
Sure it doesn't have a full Desktop Environment, but one can run GUI apps, and easily pass files between.
The open source model of development has encouraged the correct incentives for people to become active in identifying and fixing possible exploits in a global, communal effort.
Every server on the cloud has (by a large margin) chosen Linux as the OS to trust specifically for this reason.
If you expose a Windows server default install to the internet it will be compromised in days. (I don't know how. I do know AWS was very unimpressed with me.)
In contrast Linux systems are often set up that way without issue.
Source: Personally got it into a state where it became a huge headache to update.
Source: Personally (like the other poster) I have got both into a state where it became a huge headache to update.
Try something from universal blue!
As someone who's been daily running it since 2008, I'm gonna say yes anyway though. It's secure (one definition of safe) and no more likely to eat your data than any other OS. Still back things up though, hardware failures happen.
What to config? Nothing. Don't touch shit if you don't know what you're doing. That's the secret to having a stable system, not messing with it.
Of course, some things will randomly break unexpectedly, but you get that with Windows and MacOS, too.