Reply from Adrian Vovk, founder of carbonOS and contributor of GNOME OS :
It also lets us be the first and only general purpose Desktop Linux distro to cryptographically enforce the integrity of the whole OS. We are cryptographically immutable, which means we hash the whole OS and make sure it hasn’t been changed (of course, we do this more efficiently than the naive approach I’m describing here). This ties in with secure boot and the TPM, which ties into your disk encryption. If an attacker tampers with the OS, not only will it refuse to boot with secure boot on, but it will fail to decrypt your disks with secure boot off. As a user, of course, you’re in complete control to turn off these protections
Anyway, as far as I know we’re the only Desktop Linux distro that’s anywhere near as secure (on a platform and disk encryption level) as modern phone OSs, ChromeOS, or macOS.
it might actually be easier to deploy and enforce and repair the images too, than with Windows for example
bitlocker is a bit of a headache to oversee and requires manual intervention a lot, has various known bypasses, etc – the secure image lets you just check for changes, and redeploy (i would guess?)
this is a thing i was thinking about recently as i was reading about microsofts solution to the downgrade attacks (downgrading installed windows updates), their solution is like some kind of hardware tpm based uefi lock that essentially renders the machine unbootable if any modifications are made. although i guess this is secure, its not really the ideal outcome if hundreds of my machines become compromised. i now have to manually re-image them all? ugh
the default-to-fail security model is not ideal but microsoft has very much pushed it as the solution to something ‘well if the computer crashes its safe’