Hard to check the security of something you haven't coded/read/compiled yourself.

I would guess if you stay on Chrome OS and use the Linux subsystem, you'll have a Google-signed VM running. Not sure if that's secure enough for your taste.