Linux comes in a wide range of distributions, so it is hard to make universal claims. One area where security defaults need to improve is sandboxing.
If security is a major concern, bwrap or firejail can easily provide that extra sandboxing.
NixOS and GuixSD make it quite trivial to sandbox applications in a declarative fashion using firejail.
An alternative is to use e.g. Flatpak, which gets you sandboxing for free via bwrap. But I am not a fan of application images that bypass package management.
I heard about the sandboxing being especially sketchy, thanks for a point in the right direction for mitigation.
Additionally, any thoughts on snap? (presently looking into Flatpak)
Generally the out-of-the-box experience of Ubuntu and Fedora is at least as secure or better than that of Windows. macOS tends to lean towards a more hardened configuration. Matching that is possible (Android being a great example), but will require some work on your part and is generally not worth it unless you download and run untrusted software.
And one area where desktop Linux really shines is how easy it makes it to only limit yourself to software you can generally trust: that in the default repositories. If you use a well-maintained distribution, keep your system up to date, and only use software that your distribution delivers, chances of your machine getting compromised by anything other than a strictly targeted attack are very slim.
It's understandable that eventually you might want to run third-party software. In that case, I'd definitely advise against running random scripts or commands from the Internet, especially the `curl | bash` kind, and adding third-party repositories to your system unless you absolutely trust their source. This and running out-of-date Internet-facing software are the most common attack vectors.
For third-party software, consider using Flatpak (desktop) and Podman/Docker (server). These sandbox software by default, limiting the damage it can do to your system. With Flatpak, always pay attention to what permissions your application will be granted (those are listed at installation time) and try to limit their scope as narrowly as possible. You can manage the permissions with `flatpak info -M` and `flatpak override`. There's also Flatseal, a GUI alternative which I personally haven't tried.
One more thing to watch out for: extensions. Some software, such as Visual Studio Code and derivatives, has very lax policies on extensions. Even if you install it from a trusted source, but then install an untrusted extension, the extension will run with full access to your files! If you're using such programs, I recommend installing them in Flatpak and limiting their permissions as well. I've been burned by some VSCode extensions in the official marketplace that immediately contacted Chinese IPs upon installation.
Of course, those are tips for those looking to get started. Long-time users interested in hardening should definitely look into SELinux, seccomp, namespaces, dm-verity, and their associated utilities.