After having daily driven FreeBSD for a couple of years, I recently made the switch to Qubes OS - and, very begrudgingly, back to GNU/Linux.
Anyone who knows me knows that I am incredibly passionate about digital security and privacy. I have always made use of sandboxing tools - everything from Flatpak to FreeBSD jails to full-fat virtual machines. However, I always felt that security could go further, and Qubes OS is about as far as secure computing goes.
Qubes OS is marketed as a "reasonably secure" operating system - and it is exactly that. It is structured based on the assumption that the user will be compromised, and this means that it is built to be robust and highly isolated. It operates based on the concept of "qubes" - virtual machines that all serve a specific purpose. Every part of the OS is compartmentalised using them - there are qubes for everything from networking and the USB stack to ones that self-destruct after their main process terminates (called "disposable qubes"). While they are all completely isolated by default, there are integrations like inter-qube file transfers and a global clipboard. Because of the architecure of the underlying Xen hypervisor, all qubes are subordinate to a primary virtual machine known as "dom0" that runs the desktop environment (by default - another qube can be set up for the graphics stack).
Networking is one of the areas in which Qubes OS really comes into its own. The internet is responsible for nearly all system compromises, and so nothing except for the disposable qubes has any connection to the internet by default - internet connectivity must be manually assigned to qubes. The networking qube (sys-net) is also typically disposable, meaning that even if it is compromised, a simple reboot is all that is needed to return it to a clean state.
Of course, no networking solution can be said to be secure without a firewall. All network traffic (unless explicitly specified) is tunnelled through a disposable qube running a firewall (sys-firewall); rules are stored in dom0 and passed to sys-firewall at startup. Configuring the firewall is incredibly intuitive - it is done in a tab in the qube settings. For example, I am writing this post in a qube that only has access to one port on one domain - the SSH port on git.sr.ht in order to push changes to this site.
As far as physical security goes, USB is one of the easiest if not the easiest way to compromise a system. As such, it works in much the same way as networking does. All USB devices are assigned to a USB qube (sys-usb), from which they can be passed to any other qube. As with the networking qube, sys-usb is disposable; even if a malicious device is plugged in, any ill effects (such as a keylogger) will be gone after a reboot.
With all of this added security inevitably comes a few inconveniences. After a few months of daily driving it, the performance hit has become very clear. I use it on a low-mid range laptop, and while the greatly enhanced memory usage was easily overcome by buying more RAM (my workflow went from using 4 GB of RAM to upwards of 16 GB), the lack of GPU acceleration has been a noticeable hinderance - simply watching an HD video results in over 50% CPU usage. That being said, GPU acceleration is being worked on.
All in all, Qubes OS is the best extant operating system that I have found. It is the only reasonably secure operating system of which I am aware, and while it is not for everybody, I have no doubt that I will be using it as long as the project is around.