I worked at Google on post-Aurora endpoints security. Windows laptops are alive and well at Google. Linux laptops have had one foot in the grave for a while now (it's a bummer). Google historically made gLinux work only with enormous investments in customised distros and D&R.

> But maybe you could elaborate a bit more concretely about what kind of intra-host security boundaries are missing

- no boundaries between applications, everything runs as $USER which can read your browser creds

- no boundary between user and root, everything can trivially escalate privs (maybe we will fix this post Glasswing, let's see)

- no boundary between boots, root can trivially persist a compromise (probably non-root too)

The tech exists to solve all these problems on Linux, but there isn't a distro that strings it all together. (Unless you count ChromeOS/Android which are not really OSS).