[Bender]

if there’s one that comes “safe by design” for kids.

I am not aware of such a thing. I think it would be a combination of sitting with your kids and helping them understand all the bad things the internet will throw at them and some effort on your part to lock it down and let them know some of the safeguards will be loosened as they mature. Help them become jaded and skeptical of the internet early. Educate them on all the shady marketing and psychological manipulation practices of corporations.

Probably something like [1] or one of the education focused distributions. I have never tried any of them. Then it may be some effort on your part to block adult sites using DNS [2]. They can bypass this but you can make some effort on your router to block DoH using a local Unbound DNS entry:

    local-zone: "use-application-dns.net." always_nxdomain

and of course configuring applications to use either your DNS or something online that attempts to block adult sites. Also set up a start-up script to blackhole route all the DoH/DoT providers other than those you approve. Despite popular belief blocking DoH is trivial. This wont help with corporate sites that try to manipulate kids into pushing the parents to buy things. This is really something that you will have to help your kids understand. There are ways to lock down Linux and only allow specific web-sites but that involves setting up a Squid SSL-Bump proxy and that will break a few sites. A TLS MitM proxy like Squid is about the only thing that really works these days as so many sites are behind a CDN. I have never tested a MitM of Discord using Squid. The only sites I know that sortof won't work in a MitM proxy are those that still do certificate pinning and there are not many.

As Mr Bees69 said this can make them resentful especially if it is obvious they can not do things their friends are doing. Their friends will teach them how to bypass anything especially if they are teens. Teens can get around most limitations from within video games and Discord. Many watch / stream pirated or adult movies together from within rated-pg games which in a way is somewhat worse than just going a porn site as they will get their adult knowledge from their friends instead of you. Their friends are worse than LLM's in that as a group they will confidently give amazingly poor advice.

[1] - https://www.endpointdev.com/blog/2021/01/linux-distro-for-ki...

[2] - https://www.opendns.com/home-internet-security/

[Mr_Bees69]

Plus, youll need to block some great resources. Reddit, archive.org, and the wikimedia commons (wikipedia's filehost) just to name a few.

[Bender]

Indeed. Anything that allows users to add their own text links or multimedia content can go from rate-g to rated-xxx in hot second or until a moderator maybe removes something. That's why I have been pushing people to use RTA [1] headers on sites instead of the silly privacy invading 3rd party verification sites. With RTA headers one could add a single header on any adult or user-content driven URL. A MitM proxy could block any URL that contains that header.

[1] - https://www.rtalabel.org/index.php?content=howtofaq#single

[markun]

Didn't knew about RTA, I really like the way it's proposed.