I used PopOS, but once they announced they'll start focusing on their Cosmic desktop, I switched to Fedora KDE it worked to some degree until it crashed and I lost some data, now I'm on Ultramarine GNOME and it doesn't seem to like my hardware ( fans are spinning fast )
my threat model involves someone trying to physically unlock my device, so I always enable disk encryption, but I wonder why Linux doesn't support secure boot and TPM based encryption ( I know that Ubuntu has plans for the later that's why I'm considering it rn )
I need something that keeps things updated and adobts newer standards fast ( that's why I picked Fedora KDE in the first place ), I also use lots of graphical tools and video editing software, so I need the proprietary Nvidia drivers
Idk what to choose ಥ_ಥ ? the only one that seem to care about using hardware based encryption is Ubuntu, while other distros doesn't support that.. the problem with Ubuntu is there push for snaps ( but that can be avoided by the user )
security heads say: if you care about security, you shouldn't be using systemd, use something like Gentoo or Alpine.. yeah but do you expect me to compile my software after ? hell no
Dude, you're not lost. You have highly specialized requirements that the vast majority of people don't have so most people won't be able to help. But you definitely are ahead of the average Linux user here.
I'm one of the people that can't help you, but it looks like some others here have good suggestions
I'm not sure hardware-based full disk encryption counts as a "highly specialized requirement". It's enabled by default on Android, iOS, Mac and even Windows usually. It's a basic requirement for businesses.
It requires you to sign into a Microsoft account (which I assume most non-nerds do, given how hard they make it to avoid) and have hardware that supports it... But yes Windows enables full disk encryption by default now.
When you first sign in or set up a device with a Microsoft account, or work or school account, Device Encryption is turned on and a recovery key is attached to that account.