I agree there is less bloat like iMessage and less installing random crap apps. The biggest holes if an attacker is determined are probably the browser and images/video, and maybe common networking libraries or networked games which often have poor security. Once the image/video decoder is exploited and you get RCE (if in the browser you'd have to escape the browser sandbox too), there are less exploit mitigations on desktop Linux and maybe less chaining you'd need to do. And the lack of/worse verified boot than Android/iOS if that's something you need to worry about.
