[ageofwant]

'app sandboxing' is one part, of a small part, of a subsection of a general thread model, why would you pick that when you talk about 'secure'? And LOL no, Linux has SELinux, apparmor, firejail, flatpak, snap, docker, lxc, and various hypervisors for 'app sandboxing', Linux does not have 'basically none', it has arguably to many.

[oDot]

Still talking about default config here

[jraph]

AFAIK the default config on Windows to install a program is still downloading an executable installer on Windows.

On Linux, the default config is you install most programs from the "trusted" distribution's repositories. Flatpaks and Snaps are increasingly used for apps that are not in the repository. They are not perfect, but they are improving.

I don't know how it works for macOS. You'd download a program image but I don't know what the program can do and if there's a sandbox.