> Linux phones lack verified boot meaning persistent malware is trivial on linux devices.

Librem 5 has a 3FF Smart card reader. Also, it can be completely wiped and reinstalled, ensuring that your phone is cleaned whenever you suspect a compromise.

> supply chain attacks (i.e. npm)

Nobody uses npm on a GNU/Linux phone. As the OP correctly mentioned, the whole security model relies on the trusted apps. See also: https://source.puri.sm/Librem5/docs/community-wiki/-/wikis/F...

> Or really even if you lose your phone and someone was so inclined to they could just extract all the data if it was powered on but on the “lock screen,” as most if not all desktop

I never heard about such possibility. Could you provide some details or links on how this could be done? AI says it's not really possible without very sophisticated instruments.

> It would maybe be possible to somewhat mitigate that with cryptomator or somehow using fscrypt since that’s what Android uses but I dont know

Indeed, GNU/Linux phones can and probably will improve their security with time taking some things from Android.

> Also even for basic things like clipboard protection, even with Wayland there are ways around it so that an app can read anything from the clipboard

You can't just say this without any evidence.

> This doesn’t even get into people preferring Firefox on Linux which is light years behind Chromium based browsers in terms of security.

Unless you switch off JavaScript, which is what I do.