One of the cool advantages I was pondering is its greatly reduced attack surface. Linux and Android apps can still come in, but they're always really sandboxed and insulated from the main OS, which is little more than browser+UI. So as secure as you can make the browser, that's your OS security. The most a user can do is install PWAs on it; they're not going to have a bunch of userspace native apps causing trouble.