Most distros are somewhat equal when it comes to privacy, anonymity and security; with the likes of Fedora and openSUSE known for taking it more seriously out of the box than the other 'big bois', while some smaller distros like Kicksecure are known for their best-in-class^[1]^ hardening that they offer by default.

As for NixOS, it's really its own thing (together with Guix), and thus very different from any other distros. If you conquer it, you would be delightfully met by a system that enables you to do things unheard of in other distros. However, the learning curve is very steep. And perhaps even hardening it to the level that Fedora or openSUSE provide by default might not be trivial.

1. Qubes OS is technically not a Linux distro. But it's worth mentioning as one generally tends to run Linux within a qube (read: VM), and in regards to security and privacy; Qubes OS is simply unmatched, period.

to use as a media centre and multiplayer gaming system in my living room

Based on this, you're basically looking for the 'game console experience on your couch'. If that's the case, honestly you shouldn't look beyond^[1]^ Bazzite.

If, instead, you actually wanted to play retro games primarily, then please let us know.

1. While ChimeraOS and HoloISO also offer the 'game console experience', they don't support Nvidia GPUs. So you would be on your own at best; which would be a horrible experience for a new user. If you feel particularly adventurous, then Jovian-NixOS is actually another option. But arguably less newbie-friendly compared to Bazzite.

Basically, you want to not disable kernel.unprivileged_userns_clone.

For a temporary solution that has to be redone after reboot, there is sysctl kernel.unprivileged_userns_clone=1.

For a lasting solution, consider echo kernel.unprivileged_userns_clone=1 | sudo tee /etc/sysctl.d/99-enable-unpriv-userns.conf.

In either case you're foregoing security for the sake of convenience/functionality, so I understand why you would rather not act upon either of them.

I don't know what the solution is that would be analogous to installing bubblewrap-suid. Perhaps, it's worth exploring the projects found within the github page of Awesome Fedora Security for some pointers.

Not OP. But for me, atomic updates, reproducibility, (to some degree) declarative system configuration, increased security, built-in rollback functionality and their consequences; rock solid system even with relatively up to date packages, possibility to enable automatic updates in background without fearing breakage, (quasi) factory reset feature, setting up a new system in just a fraction of the time required otherwise are the primary reasons why I absolutely adore atomic^[1]^ distros.

1. I prefer referring to the so-called 'immutable' distros as atomic distros instead. It's more descriptive, because the distros aren't actually 'immutable' but instead they're atomic.

is there any reason why I should even care about the freedom of init system?

Freedom of choice! It's troublesome if distros and/or DEs rely so heavily on systemd to do their bidding. So much so, that some combinations of distro + DE don't allow any differentiation in init or make it very cumbersome and unwieldy at best. I'm not interested in making systemd a necessary part of Linux. Therefore other inits not only have to exist, but should be 'competitive' as well. Which, to be frank, is currently not the case.

Another concern is that systemd is by no means a minimalist approach. Which beyond bloat, also has security implications. More information can be found in this (infamous) guide by Madaidan; security researcher on multiple distros known for taking security and privacy very seriously like e.g. Kicksecure and Whonix. Interestingly, while Madaidan discourages the use of systemd in that guide, it's still heavily relied on in Kicksecure; one of the distros he works on. I think this is a perfect illustration of how systemd has become so good that even opponents can't deny its merits and continue to make use of it for the time being out of necessity.

Lots of great answers here already so I will only address a couple of things that haven't been mentioned:

Regarding Fedora Silverblue:

• Currently, Fedora Atomic Desktops are in a major shift to accept OCI container images for delivery of packages. This means that the built image becomes one compliant to OCI and that we boot into an OCI container as our system. As OCI images are relatively declarative (not to the extent that NixOS does (yet)), it becomes possible to have a set of config files (most importantly, the so-called Containerfile) in which your system is 'declared'/'configd'. In case you're interested into how this looks/works, consider taking a look at uBlue's startingpoint or if you're more interested in the scope of configuration into Bazzite and/or Bluefin.
• apx is available as a COPR on Fedora Atomic Desktops.
• Nix can be installed on Fedora Atomic Desktops using Determinate Systems' installer.

Regarding Vanilla OS:

• They're also moving to a model that's very close to where Fedora Atomic Desktops is heading towards. So, expect a similar way to config/'declare' your system.

What are your thoughts on the ~~three~~ four distros mentioned above?

It's a question of polish if you'd ask me. With Fedora Atomic Desktops and NixOS being advantageous due to being more established and better funded. I wouldn't write off Vanilla OS yet as they seem to know what they're doing. Though, I wouldn't keep my hopes up for blendOS as its main developer was unaware of which MAC was configured by default on blendOS (spoiler alert: none, at least at the time).

Furthermore, NixOS is literally its own thing and unfortunately infamous for its steep learning curve. If you can afford to learn and conquer NixOS, then NixOS should be the recommendation; unless (like me) you seek SELinux on your systems.

Between Fedora Atomic Desktops and Vanilla OS; Vanilla OS is still in its major rewrite/revamp. The alpha builds are there, but I wouldn't recommend using those on production machines. Fedora Atomic Desktops, on the other hand, has been going strong for a while now and the uBlue-team has even succeeded in making the OCI-stuff accessible for the general (Linux) public. So if you want to switch now and NixOS is/seems too hard; then Fedora Atomic Desktops it is. On that note, I recommend to check out the uBlue project.

Which ones are the most interesting, and for what reasons?

Honestly, all of them are really interesting, but NixOS does the most unique stuff; with only Guix doing something similar within the Linux landscape. To give you a taste of some of the wild stuff found on NixOS; there's the so-called Impermanence module which -to my knowledge- happens to be the closest thing to a usable stateless system we've got; period. Consider reading this excellent blog post in case you're interested to know what this entails.

I don't know if it even works, but have you considered relying on their Stealth protocol? While its absence on Linux ~(and~ ~Windows)~ means that you might not even be able to make use of it in the first place, I'm still interested to know if it makes any difference.

I'm saddened by how the once great Elementary OS has fallen from grace. I hope they will be able to bounce back to former glory and beyond, but I'm skeptical at best...

I don't understand how people break it.

It's probably related to installing packages through the AUR, even though it's known to be unsupported on Manjaro specifically due to their policy of holding back packages.

I cannot wait to get home and try it out!

Please consider reporting back after you've tried it; I'd love to read your experiences.

Not sure if it counts as a blog, but I really value the articles found on privsec.dev. With (perhaps) its most exceptional feat being that it's somehow continuously kept up-to-date to provide accurate information at all times.

What do you think of Arkenfox' following statements regarding Privacy Badger?

• Ghostery, Disconnect, Privacy Badger, etc

  • Redundant with Total Cookie Protection (dFPI)

  • Note: Privacy Badger no longer uses heuristics by default, and enabling it makes you easily detected

Which can be found here.