That's the mindset of most, but what's being pointed out that's rarely ever discussed because few ever give it any consideration is the fact the kernel itself is structurally full of weaknesses, many of which have been discovered and patched, but it's anyone's guess as to how many more undiscovered there are now and in the future. The setup you refer to is better than so many others because it is not potentially impacted negatively by 3rd party applications. However, it is still structured around a questionably designed, security-wise, kernel. I agree. Perhaps the O/S' kernel can be designed better to expose a reduced target landscape for attackers. BTW, it's because of a filter built in to linux' kernel that affords a more robust Chrome sandbox.