Point still stands. postmarketOS isn't hardenned. Default desktop linux isn't hardened. Malware could easily infect your device and exfiltrate data, escalate privileges, modify the kernel, etc. Each of the things I have mentioned (hardened_malloc, immutable OS, hardened kernel, hardened firewall, removal of identifiers, full disk encryption, locking of root login [not the same as invoking root], MAC hardening through SELinux or/and AppArmor, service minimization for reduced attack surface, package manager hardening, secure boot, sandboxing of applications, etc) should be implemented for both Desktop or Mobile Linux to have "good" security. Security is preventative. All of these things come together to create a system better equipped to protect against know and unknown threats, which especially true for mobile devices which are near-costantly in unknown environments. A vulnerable device is weak link in the chain of your security, which can be used to compromise your privacy. You may never be attacked or have your device exploited, but that doesn't make it secure as a result.

I would love to see an actually secure mobile device that is rid of Google's stench. Problem is postmarketOS isn't secure, its just default linux on a phone. If it saw largescale adoption (which we all would like a good alternative to do) it would be easily exploited.

It says postmarketOS is based based on alpine Linux, which according to Whonix doesn't meet their threat model and it's odd to claim "Alpine Linux was designed with security in mind" when Alpine's package doesn't pass The Update Framework model. A vulnerable package manager can be used to compromise a system, read more package management on TUF's website.