just use a community-lead or non-profit foundation lead distro: NixOS (better than silverblue/kinoite in all aspects they try to sell), Arch, or Debian.

For professional usage, you generally go Ubuntu, or some RHEL derivative.

I can keep Firefox bleeding edge without having to worry that the package manager is also going to update the base system, giving me a broken next boot if I run rolling releases.

On Nix[OS], one can use multiple base Nixpkgs versions for specific packages one wants. What I have is e.g. 2 flakes nixpkgs, and nixpkgs-update. The first includes most packages including base system that I do not want to update regularly, while the last is for packages that I want to update more regularly like Web browser (security reasons, etc).

e.g.

• https://codeberg.org/yuuyin/yuunix/src/branch/main/flake.nix#L52-L77
• packages with pkgs (nixpkgs flake) https://codeberg.org/yuuyin/yuunix/src/branch/main/profile/packages.nix#L12-L26
• firefox with pkgs-update (nixpkgs-update flake) https://codeberg.org/yuuyin/yuunix/src/branch/main/profile/app/firefox.nix#L14-L16

When I was packaging Flatpaks, the greatest downside is

No built in package manager

There is a repo with shared dependencies, but it is very few. So needs to package all the dependencies… So, I personally am not interested in packaging for flatpak other than in very rare occasions… Nix and Guix are definitely better solutions (except the isolation aspect, which is not a feature, you need to do it manually), and one can use at many distros; Nix even on MacOS!

Some of them will detect if using virtualization. For example http://safeexambrowser.org/ by ETH Zurich

Ironically enough, it is free software https://github.com/SafeExamBrowser