> incredibly privacy invasive behavior is often not considered to be malicious
This is not true for Debian, which is the upstream of PureOS.
> therefore not actually significantly reducing trust in the upstream projects
And yet, it has practically negligible number of malicious apps, especially compared with Google Play. It's far from perfect, and you are right that the sandboxing should be further improved. Nevertheless, it is a security model working in practice for a large userbase of Debian. It works especially well for technical users.
> This is not true for Debian, which is the upstream of PureOS.
Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
> And yet, it has practically negligible number of malicious apps, especially compared with Google Play.
Google Play is not the only app repository for Android-based operating systems. There are repositories in the style of traditional Linux distributions and also better approaches available.
> Nevertheless, it is a security model working in practice for a large userbase of Debian.
No, it has very poor privacy and security.
> It works especially well for technical users.
Being technical doesn't address the massive privacy and security issues. It only makes it less likely people install blatant malware instead of it being a problem through supply chain attacks and very poor security throughout the OS.
> Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
You can't attack Debian like this without providing a few examples.
> No, it has very poor privacy and security.
This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?