I'm pretty sure it does; as secureblue, an ~~immutable~~ atomic distro that's hardened by default, required this commit to mitigate it once and for all.

While Bazzite and its atomic brethren do provide some additional protection against attacks, it's often very overstated 😅. Hence, it's unsurprising that it doesn't provide any defense against this assault.

Excellent write-up! Thank you so much for this!

It just so happens to be that Linux is the easiest to make secure

Could you back that up? Thanks in advance!

that will totally not break with every upgrade

While I agree that it's a lot more brittle than it has any right to be, it hasn't been that bad in my experience. For example, it only took me 1-2 days after its official release to upgrade to Fedora 44 (and with it, GNOME 50). Out of the 5/6 extensions I had installed, only 1 has broken on me. Arguably, that is one too many. But as GNOME offers a very stable and polished experience otherwise, I suppose this is pretty acceptable.

Unfortunately, I can't really comment about that specific device. Regardless, I'd reckon the following is worth noting:

• ThinkPads (and to a lesser extent the Dell's Precision/Latitude line of devices) are (generally-speaking) the best supported laptops on Linux. We can e.g. see this when software like TLP has exclusive features to ThinkPads-only.
• Linux-specific vendors like NovaCustom, Star Labs, System76 and TUXEDO are cool. But, they have to do a lot to catch-up. Some of them don't even have an entry within ArchWiki's entry on laptops.
• While not a Linux-first vendor (at least initially), Framework has been picking up a lot of steam. Definitely deserving a mention alongside the others.

Anecdotally, I've moved from HP to ThinkPad and there's a very clear difference. To name one of my many frustrations with HP, my battery died every year or so on Linux. That's just ridiculous. By contrast, the experience on ThinkPad has been absolutely glorious. It's clearly meant to offer a first-class Linux experience.