"Locked down" is an incorrect way to look at it.

It follows a different philosophy. I've been using atomic systems for the past year or so as my main driver.

If you want to install something that needs superuser access, you do it inside a container. This protects your OS from breaking.

The number of times I've accidentally installed something which broke my window manager or compositor is now zero