The biggest issues I have is that, when you search for privacy oriented Linux distros - they almost always boil down to the following: Qubes, Kodachi, Kali, Whonix, Tails, BlackArch, and variants.
My issue is that these are not very user-friendly or user-oriented distros. They are more or less distros for either security experts, the very paranoid, or penetration testers.
My thoughts on a private OS isn't necessarily one that's safe from a direct attack or something you need to secure spy-level intelligence, but one that does not leak private information, does good-enough encryption by default and offers great usability while allowing access to a good set of applications that are also privacy-oriented. Applications and the OS should not leak telemetry data by default (opt-in only) or have no private data leaked at all.
Obviously, a certain amount of data will inevitably be shared (DNS lookups, Google searches) but that kind of information should be communicated to the end-user as much as possible.
I'd love to see more discussion around this, because I think that this is a topic that will become ever so critical with the increase in "telemetry data" being collected.
Your browser alone is probably 10 fold the threat to your privacy the operating system is, and a share of the telemetry is legitimate and very much directly useful for improving the product and responding to incidents.
Any linux distro probably won't hash/index all your files into a voice assistant, won't virus scan, and won't backup to a cloud, which is an immediate privacy and security win.
If you want to engage in the privacy mindset, you must first focus on observability. Specifically you should be thinking about how to set up a proxy/firewall between your daily driver and the raw internet to see what is accessed.
Without observability, you don't know what is doing what no matter what you use. You are forced to trust without understanding, and you wouldn't be able to answer your own question empirically. Without an off machine firewall, you can't prevent the behavior you want to prevent.
For a long time OpenBSD had the reputation for being most secure by default. I don't know if that's still true. Running some type of observability/firewall platform on that would probably be useful. I've never used mitmproxy, but I imagine that would be useful.
- Qubes is overkill for my needs.
- Kodachi is shady as fuck and could have a backdoor.
- Kali has too much of an attack surface. It's bundled with thousands of software packages that can be leveraged in attacks.
- Whonix is certainly useful, but you need a beefy machine to run two VMs side-by-side. Also it may leave a forensic footprint if your Linux install dumps contents from RAM to disk (swap).
- Tails again is useful, but I found it's updated very frequently. A whole new flashed thumbdrive just to update Tor is insane. But I still use it for like 50% of my computing.
I would interpret that as a Linux distribution that is kept up to date, is easy to configure, does not have dial-home cruft and has decent documentation. This is just my own take but opinions will vary wildly for everything I will add here.
- Kept up to date would be all the popular distributions that are not niche focused such as the security/privacy distro's that you mentioned. They have a small user base and do not has as regular of a cadence of updates. So Arch, Alpine, Alma, Debian, CentOS/Redhat, Fedora, QubesOS, Rocky, Void, Ubuntu. Fedora and Ubuntu will have the most recent a.k.a. bleeding edge versions of upstream packages but most of the distributions are not far behind. The oldest and most battle hardened versions of software would be on CentOS/RHEL with back-ported bug and security fixes. I intentionally left out Gentoo and LinuxFromScratch as those are for people that love tinkering and troubleshooting.
- Not dialing home is devolving by the day but Alpine, Alma, Arch, Debian, CentOS, Qubues, Rocky, Void are not chatty. Fedora recently started dialing home quite heavily for desktop users and even mimic some Microsoft behavior in the latest Beta. Hopefully they will turn this off after Beta because blocking it breaks the desktop. Ubuntu had a few mis-steps in this area in the past but I do not know if Canonical curtailed the dialing home, this was some time ago. Something to keep an eye on in this area is systemd-resolvd as this is evolving and has the potential to get leaky but that is a topic in and of itself.
- Arch has incredible documentation. They are an outlier in this area. Behind them I would place Debian, CentOS, Fedora and Ubuntu. The others have hit-or-miss documentation that sometimes requires a search engine to fill the gaps, especially as it pertains to real world examples.
- Easiest to configure would be Ubuntu as it had heavy adoption early on by many developers, followed by Fedora. Both have a myriad of example configurations in their documentation and endless examples on StackExchange, Serverfault, etc...
Again, just my own opinions. I tried to not be biased. I am a pragmatic minimalist and do not like shiny or trendy things. I personally prefer Void and Qubes for desktop and Alpine for VM's, Routers, Firewalls, etc... Qubes should have a decent amount of memory, maybe 32GB+. Both have some minor annoyances that would frustrate people new to Linux. All of the popular distributions can be locked down to be less chatty using outbound firewall rules with the iptables "owner" module with exception to Fedora's Beta.
If you want to go beyond user-based+port-based rules then there is an open source project called OpenSnitch that mimics the behavior of LittleSnitch (mac). [1] Blocking the chatty behavior of Fedora will break it, especially their admin sub-domain. It is equivalent to Microsofts access sub-domain used heavily be the Home edition.
Beyond the basic hardening of an OS if one wanted to really lock things down and assuming they understand Linux networking principals, then QubesOS + a custom Firewall VM clone + Custom Whonix VM clone has the potential to leak the least data but this assumes that one already greatly understands networking, linux, all the internet services. There are no turn-key solutions for this that fill knowledge gaps, despite there being several that claim to do so. If going down this path, I suggest using a spare machine that you would not mind blowing away and re-configuring VM's as a matter of a learning exercise.
Reducing chatty'ness of user-space applications like Firefox would be user.js [2] and controlling what those applications can see or not see would be firejail available in some distro repos. [3]
Additional hardening can be implemented using one of the five security modules in the Linux kernel, with the most common being AppArmor and SELinux but one must really learn how these work to get the most out of them. Most applications in a Linux distro have existing MAC rules. Custom applications would need custom MAC rules to secure them. The default rules in AppArmor and SELinux are designed for a balance of security and usability rather than security+privacy.
All of the distributions can be stripped down to be as lean as you want.
[1] - https://github.com/evilsocket/opensnitch
just be adept on it!