I come from Fedora Atomic Desktops with SELinux and Secureblue hardening. It is okay, among the best you get on desktop Linux.
NixOS might be behind, also because there is no single recommended MAC method. But I assume that would be Apparmor, as it might be easier to implement.
I am using usb stadia controllers (firmware flashed but shouldnt matter) and they dont show up in Dolphin Emu (Flatpak) when I have these enabled:
services.dbus.apparmor = "enabled"; # "required" for stronger protection, otherwise it can be bypassed
services.dbus.implementation = "broker";
security.apparmor.killUnconfinedConfinables = true;
Enabling apparmor alone works, but is probably pretty weak without those additional things. Like, if it doesnt protect dbus or kill unconfined programs with existing rules, it has major holes, right?