Sure, but full disk encryption was also enabled on my Mom's Ubuntu laptop 15 years ago, because I chose the correct options when I set it up. What commercial vendors offer out of the box has never been a good yardstick for talking about security features, and it's only gotten worse with the rise of the surveillance economy.
My fundamental problem with Graphene/Calyx is that I don't trust the devs have enough bandwidth and resources to catch all the vulnerabilities created upstream, especially with the moving target created by rapid version churn. For example, Android is finally getting the ability to grant apps scoped capabilities rather than blanket full access permissions, which is actually coming from upstream - the Libre forks should have had these features a decade ago, but for their limited resources.
Concretely, what discourages me from going Pixel is the Qualcomm integrated baseband/application chipsets. I've heard that Qualcomm has worked on segmenting the two with memory isolation and whatnot, but their history plus the closed design doesn't instill confidence. Yet again it's the difference between the corporate perspective of providing top-down relativist "security" rather than the individualist stance of hardline securing the AP against attacks from the BB.
Pragmatically, I know I should get over that and stop letting the perfect be the enemy of the good (I'm currently using a proprietary trash-Android my carrier sent me. The early 4G shutdown obsoleted my previous Lineage/microG). But every time I look at Pixels it seems there's so damn many "current" models, none stand out as the best but rather it's a continuum of expensive versus older ones (destined to become e-waste even sooner due to the shameless software churn). And so I punt.
> What commercial vendors offer out of the box has never been a good yardstick for talking about security features
It absolutely is. Default setting matter a lot!
It's great to have extra security features too. But even experienced users won't change defaults if they have too much cost. If things are turned on by default then those costs diminish because other software has to work within them.
My point was that when talking about commercial security offerings, the security models generally end up relying on on "trust the company", which has never worked out well. So corporate offerings finally coming around to having full disk encryption is more catching up with something they lacked, rather than advancing the state of he art. (Contrast with Android's process sandboxing, which seems like a genuine advancement and could be worthwhile to port to desktop Linux)
In the context of talking about individual actions one can take to trust their personal machine, it's reasonable to assume this involves appropriately configuring your software environment. If this was instead a thread about what products would be good to recommend to your parents, then what was commercially available off the shelf would be relevant.
My fundamental problem with Graphene/Calyx is that I don't trust the devs have enough bandwidth and resources to catch all the vulnerabilities created upstream, especially with the moving target created by rapid version churn. For example, Android is finally getting the ability to grant apps scoped capabilities rather than blanket full access permissions, which is actually coming from upstream - the Libre forks should have had these features a decade ago, but for their limited resources.
Concretely, what discourages me from going Pixel is the Qualcomm integrated baseband/application chipsets. I've heard that Qualcomm has worked on segmenting the two with memory isolation and whatnot, but their history plus the closed design doesn't instill confidence. Yet again it's the difference between the corporate perspective of providing top-down relativist "security" rather than the individualist stance of hardline securing the AP against attacks from the BB.
Pragmatically, I know I should get over that and stop letting the perfect be the enemy of the good (I'm currently using a proprietary trash-Android my carrier sent me. The early 4G shutdown obsoleted my previous Lineage/microG). But every time I look at Pixels it seems there's so damn many "current" models, none stand out as the best but rather it's a continuum of expensive versus older ones (destined to become e-waste even sooner due to the shameless software churn). And so I punt.