rabbit hole of system security goes far indeed

optimal solution is ofc where you get near native performance from everything, everything is easy to use, yet achieve perfect user account isolation where you can process sensitive stuff under one account and run insecure stuff under another

however, in the end we come to firmware and hw, where there is no control even in linux