Linux, the kernel is audited to hell and back. But there are many more components to operating systems than just that, and each of them adds additional surface area to an attack. The big example to call out for this is of course SystemD, which took over many functions other more decentralized manageable components did. Since it came from Fedora, a forprofit entity, it also is a reasonable source to distrust the main distros which all use it.
Being able to work with several obscurer OSses would add a lot of security to whatever you're doing, since having a more varied OS ecosystem will give more hurdles to any would-be attacker. This makes things like OpenBSD, Qubes-Whonix or even Gentoo very useful in allowing at least some to keep their safety guaranteed.
Similarly with Firefox, it added many more components to itself in recent years that all form additional potential entry points into the system. If the fork in question is a more stripped down version of it (which is often the case) and still takes the main security updates that are added as they are found (which is always the case), they end up being safer against attack. Your point regarding fingerprinting still stands though, but it there are many vague sidechannels that can compromise your browserprints with relative ease.