Comment by ndriscoll
4 months ago
In the actual world, secure enclave is used for DRM, setting user permissions and running untrusted code as another user gets you 80% of the security you need if you don't trust something, and running it in a mostly empty container gets you another 19%. Unless you have a habit of running dubious code that you grant network access and keep up to date to ensure it knows the latest exploits, practically speaking you're fine.
Of course the obvious solution is don't run malware. Android's need for security partly comes from the fact that the primary repository/store distributes tons of dubious code that it grants network access and keeps up to date. If you stick to e.g. F-droid and turn off automatic updates, you don't find yourself in this adversarial position.
>running untrusted code as another user gets you 80% of the security you need if you don't trust something, and running it in a mostly empty container gets you another 19%.
Like I said, the Android team does not think so. Nor does the ChromeOS team, which uses selinux to sandbox the browser, something no other non-Android Linux distro does (except possibly secureblue, which sadly almost no one uses).