Debian as a server gets security updates, but the packages for desktop remain old, feature robbed and vulnerable. Default Web browser is passing on manifest v3 which enhances security. Linux isn’t going TPM2 (yet) which prevents rootkits, bootkits, keyloggers, and malware. Linux doesn’t enforce security updates. Anyone that thinks Linux doesn’t have frequent security problems hasn’t done a web search on the topic. All operating systems have issues, -Desktop Linux deliberately so.
Honestly, distro choice is really just what you know
Then you can do whatever you want with it. I’ve been using debian for some years, and Ubuntu before that, so I’m confident on what I work with and that’s the biggest deal maker