Malware in the traditional sense, as in a malicious program that sneaks its way onto your machine and runs a dangerous payload, is far far more common on Linux machines with open ports acting as servers on the internet. And even then, I'd wager that's less than 1% of the malware out there that specifically targets Windows simply due to market share. With that in mind, plain old Fedora will do just fine, especially if you leave SELinux enabled; many tutorials have you disable it if it interferes with apps/services you want to run, but they're simply being lazy, working around SELinux can be obscure at times, but it's still worth doing, and keeping it running rather than disabling it.

Malicious webpages and phishing attempts are more likely to cause you trouble on Linux, and the OS can only do so much to protect you there. Securing against those is more about vigilance and wisdom, which it sounds like you've got covered honestly!

I'm not sure I'm qualified to answer, you seem to know your security needs but i'll ask anyway: what are you securing against and why? You listed your security goals, but not exactly why you need them and what you are defending against. Fair enough, but without knowing more details, I'd suggest looking at QubesOS, which specifically isolates apps into different virtual machines. You could also go with security-by-minimality, and roll your own environment with Arch or Alpine (even Gentoo if you really wanna go down the rabbit hole)

One of the startups I worked for did business with Ford. We needed info about their networks to get them connected to our service in AWS, and in the process we learned that they still use public IPs for everything. Every workstation, server, router, etc. connected to the internet from a public IP, no NAT and only protected by extremely complicated firewall rules. Their IT team must be in constant distress, or super defensive about their architecture haha