Hot take: Might be wise to adopt the security by obscurity model and go with an OS that is hardened (ideally, a formally verified microkernel like sel4) or runs in a custom VM/container with almost zero attack surface area.