Wow, this is very confirmed kills copypasta energy… at any rate, while I’m sure hundreds of hours of security podcasts have taught you many things, again, the original point being disputed is “Mainstream Linux is less secure than macOS” and a side point about the risk of not firewalling a modern mainstream Linux distro on public wifi.

As you state, network traffic is handled by the kernel network stack. The firewall (iptable rules, not magic) is network stack software that runs on that same Linux kernel. In what regard is the local firewall itself magic where “CVE stuff can[n’t] happen” on public wifi? If macOS is more secure inherently here, how? If that answer is “bSd MaGIc” okay, sure… do you understand what percentage of exploits are “hacks” in the 1990’s become root with memory exploit on hardware way in 2025? I challenge you to find a case, even at a hacking event of someone raw banging on a closed port on a modern mainstream Linux distro until they overflow into something. This is also a Starbucks… I don’t think anyone is rocking their 0-days at random Starbuckses.

You keep talking about non-default setups on fringe distros. Nobody is arguing Puppy Linux from 2010 with Limewire installed is secure to put on the modern internet at Starbucks, although I would give 99.999999% odds nobody will sidejack your insecure X11 stack at a random Starbucks even on unfirewalled Puppy Linux from 2010, even with Limewire.