I’ve been thinking about a similar question recently. iirc OpenBSD dropped jail support some time ago. They also dropped linux emulation quite a while ago as well. I like OpenBSD and I’m thinking of using it for some packet filtering. For a desktop though, I’m not so keen on it.
Using OpenBSD as a desktop system would require installing several hundred third party packages. Many (most?) of them will be the same packages that would get installed on a Linux system, just compiled for *bsd. These packages do not undergo the same level of scrutiny that the base OpenBSD system gets.
Take it w/ a grain of salt as I’m by no means a security expert, very far from it, however the exploitable bits on a system seem to start at the browser and related libs would they not? Kind of suspect that the bits that are exposed to attack are similar on either os. Just that once an exploit on the browser is found, where do they go from there and what does that get them and how high is the technical proficiency required to pull it off.
Personally I’m kind of leaning towards Linux w/ falco and a wazuh agent and am contemplating FreeBSD and jails as well w/ a wazuh agent running. One thing about Qubes that I wonder about is the difficulty (or ability?) to run some kind of file integrity checker.
I don’t really have the time to spend on it but my ideal setup would include some kind of file integrity checker in dom0 and each vm plus having falco in dom0 and each vm. Linux vms of course. I’m a fan of FreeBSD desktops but not having something like falco is a bit of a drag there.
I like the idea of running openbsd as a net vm, gotta remember to look into that one.