That is a limitation of Lineage only because they choose to cater to users who want root (which usually modifies /system) and to support flashing Google Apps.
Why would having root itself rule out secure boot? It's just that they refuse to offer root themselves, and only as a result of that refusal one has to use system modifications to gain root. In a sense this is the opposite of your claim: they do explicitly not cater to root users.
And what the hell? Root with verified boot? That's like having the most secure castle while leaving the door open for anyone, you can't have both worlds.
Note: our root implementation was apparently affected by some vulnerabilities ( never disclosed to us ), meaning I tried to lower the attack surface to minimum, but not knowing I did anything helpful we just couldn't leave it there.
Root doesn't mean you give root permissions to any dumb app. I implied proper permission management and authorization, of course.
Then it's just like a secure castle where the user can go into all of the rooms, to some with a special key. You don't have to go into those rooms, but you have the option to at any time.
And, depending on the implementation, you may change the special room, but if you return after the next reboot, it will be reverted back.
Actually, the castle analogy goes further: Unfortunately, many seem to interpret "verified boot" and "most secure" as "protects the dumbest user from shooting themselves in the foot on purpose by locking them into that castle.
That is exactly where the recent apple scandal is coming from: The user is subservient to the OS vendor, and the OS vendor can abuse the user as they please.
Security is very important. Why? In order to not be exploited by strangers (criminals, spys...) against my interests. If security enables exploitation against my interests (by whomever, be it the OS vendor, the movie industry, or the government), it is not the security I want.
This one OS is different than all the other evil ones? That's what Apple said before...
If you're rooted your security is way lower. Simple as that. Rooting can be used against you, it can lead to exploitation, and likely has been.
Note: you can have secure boot without root and using your own Android build, such as CalyxOS. Not rooting doesn't imply using the stock firmware, never has been.
I honestly don't understand why it should be "Simple as that"? If you have the phone rooted, as long as you don't grant root to any application, why should it be less secure than if you hadn't rooted it?
(assumed everything else the same, specifically the rom supporting verified boot with root)
Then, by granting root permissions to apps, of course the attack surface gets larger, but this is a thing you control yourself.
Your note was always understood. Of course not rooting doesn't imply using the stock firmware. It however implies that you are submitting to a different master. Who may be different, and maybe a bit more lenient than Google/Samsung/whoever, but that other master will still enforce any dumb app's will against you.
Verified boot is only enforcing on -user builds.
Lineage ships -userdebug builds.
Furthermore Lineage's official root addon writes to /system. You can't have any additional changes to system or else verified boot won't boot.
You can't have it both ways as it stands.
That isn't to say they are incompatible, you can compile-in root support before the system hashes are generated and then you can have a locked bootloader with verified boot with root support.
But you cannot make any additional changes to /system with that root power afterwards.
The only way to preserve verified boot with Magisk is for the bootloader or recovery image to have Magisk compatibility built-in prior to signing. I don't think any flavor of Android that supports verified boot is currently doing this.
Silence is sadly no longer maintained, but it still seems to work for now. I will eventually replace it.
Re Mozilla: I do state on my browser comparison page that Chromium browsers are more secure. Also the Bromite repository is included in F-Droid by default on DivestOS.
