The original person you replied was commenting that nix was less vulnerable to supply chain attacks. Your reply is essentially completely off topic, talking about CVE’s. They are not the same type of issue. Having an actively running piece of malware on your system is vastly more concerning than a vulnerability someone has yet to exploit, and the supply chain security techniques needed to protect against the former are different as well.

Immutability is an extremely poor defense against any form of attack. Immutability is literally a filesystem feature where a flag, chatttr -i is set on files or folders. Any program with root can adjust this flag, and any program running as a user could download additional binaries to or modify the users home directory. This is how the nix daemon works.

Now, if nixos followed (or you configured it to follow) a model where only binaries in the nix store could be executed, and nothing else could be executed (in addition to maybe say, using selinux to enforce that only the nix daemon is editing the nix store), that would be much more secure and very interesting. But it’s not doing that.

Edit: correction, the nix store is not actually immutable on the filesystem level. It merely holds immutable “outputs”, the packages and functions it generates. You’re not supposed to edit them… but nothing stops you (if you’re root or the nix daemon user). You can verify the nix store pretty easily, but it’s not an ongoing process, that is to say it wouldn’t catch malicious changes.

What I said above about a theoretical applocker enabled like system based on Nix still applies, however.