> Android has one of the best security models and sandboxing for apps. It's based around SELinux.
You mean a security model that misses the fact that the kernel cannot be updated and relies on a "sanboxing" solution that doesn't bother limiting kernel attack surface. No, I don't think they even had a security model in mind, a threat model or anything beyond random ad hoc ideas. And if they did some thinking, they would not have chosen SELinux either, as it's not a decent solution to anything, it's more like a solution to "we must to do something, this is something, we must do this".
SELinux actually does significantly reduce the kernel attack surface on Android, and it has made a lot of kernel vulnerabilites unexploitable on Android. This particular bug was simply one in the remaining attack surface.
Despite the fragmentation and lack of updates provided by most OEMs, Android's architecture from security point of view is safer than any other Linux based platform, with exception of ChromeOS.
Managed languages userspace, drivers implemented in Java or C++ in their own process with IPC to the kernel (since project Treble), whitelist of allowed native calls beyond the rather thin set of native libraries, to touch IO beyond own APK install dir or TCP/IP, native code needs to go through managed layer, several security critical processes are deployed in production with FORTIFY and sanitizers turned on.
ChromeOS turns the notch even higher by running Crostini on its own Rust implemented hypervisor and Go written userspace syscalls wrapper (gVisor).
You mean a security model that misses the fact that the kernel cannot be updated and relies on a "sanboxing" solution that doesn't bother limiting kernel attack surface. No, I don't think they even had a security model in mind, a threat model or anything beyond random ad hoc ideas. And if they did some thinking, they would not have chosen SELinux either, as it's not a decent solution to anything, it's more like a solution to "we must to do something, this is something, we must do this".