GrapheneOS is doing lot of things right in this regard. Robust permission system adopted from AOSP and hardening by default in every imaginable way. Things like hardened malloc, storage scopes are excellent security features. Malware cannot do much even with the default settings.

With a file system driver like Veracrypt, if it’s malicious, the OS might keep your computer safe, but not your files that you store in that file system.

Yes, I completely agree.

Qubes OS is such OS: it runs everything in VMs with strong hardware isolation. My daily driver, can't recommend it enough.