Speaking of, I always find it very telling that the knee-jerk reaction is to blame a dependency or subcontractor. That's the same mentality that says "paid for code must be better" when, last I checked, there aren't any more Windows phones, are there?
But there was a Windows password hash method in the early 2000s that could be brute forced on a single consumer grade CPU in less than 24 hours on their current-at-the-time flagship network server OS. So there's that...
The nature/architecture of tails means this kind of attack is possible. Apps that can "break through" the OS networking, get access to the "real connection". Excuse my non-technical language.
Disclosure/ad: I work on Whonix, which is, uh, tails in VM essentially (to the person who only knows tails and not whonix). In Whonix, the desktop is in an VM, separate from another OS in another VM running the networking. No program in the desktop VM can reveal the public IP. On top of that, for advanced users, the desktop hardware itself might be separate from the hardware connected to the public internet.
The VM (virtualbox, kvm, whatever) is the single (practical) attack service, which is safer than ensuring every program the user may run is patched. Excuse the rant/ad/competition-bashing.
That’s one of the issues an aggregate system (which describes any system of meaningful size, these days) has to deal with.
How many of the massive breaches we hear about, originate with dependencies or subcontractors?