How it work is that it has a base OS, which is heavily optimized and securely sandboxed. Once install, it is very hard to hack this base layer. Like my device is an official Chromebook. To hack the BIOS you actually need to fry the secure key soldered to the motherboard.

Still, the fydeOS (open source) give a degree of security.

Then you have two very integrated layer. A debian layer and an Android layer. They only hadle softwares. The kernel, hardwares, the Desktop Environment (DE) are all handled by the base OS. It doesnt work like running a VM. The debian layer and android layer runs from the kernel itself so they are part of the OS