“[GNU/]Linux being secure is a common misconception in the security and privacy realm.”
https://madaidans-insecurities.github.io/linux.html
“[GNU/]Linux is thought to be secure primarily because of its source model, popular usage in servers, small userbase and confusion about its security features. This article is intended to debunk these misunderstandings”.
Based on this, one should try to do as much as possible on a GrapheneOS device
Yes, you can have more narrow permissions, and the examples you listed are all valid and examples of apps with sensible permissions.
But since app developers can choose their apps permissions on their own, many apps have broad permissions like the access to the entire filesystem.
Some examples listed in the post:
GIMP, Gedit, VLC, Libreoffice, Audacity, VSCode, Dropbox and Skype
All of these have either the
filesystem=home
orfilesystem=host
permission, giving the app acess to basically everything and compromising security.Flatpaks can have more narrow permissions but aren’t required to have narrow permissions. The post’s statement that many applications have broad permissions remains true.