> This is not true for Debian, which is the upstream of PureOS.
Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
> And yet, it has practically negligible number of malicious apps, especially compared with Google Play.
Google Play is not the only app repository for Android-based operating systems. There are repositories in the style of traditional Linux distributions and also better approaches available.
> Nevertheless, it is a security model working in practice for a large userbase of Debian.
No, it has very poor privacy and security.
> It works especially well for technical users.
Being technical doesn't address the massive privacy and security issues. It only makes it less likely people install blatant malware instead of it being a problem through supply chain attacks and very poor security throughout the OS.
> Lots of the software they provide has privacy invasive behavior and far more than that has poor privacy.
You can't attack Debian like this without providing a few examples.
> No, it has very poor privacy and security.
This is just an empty accusation. Have you seen serious security problems in Debian with any noticeable consequences recently?