What do you consider to be the "Goldilocks" distro? the one that balances ease of install and use, up-to-date, stability, speed, etc... You get the idea.
I'm not a newb, these last few years I've lived in the Debian and derivatives side of things, but I've used RH, Slackware, Puppy :), and older stuff, like mandrake/mandriva and others. Never tried Suse or Arch, and while Nix looks appealing, I need something to put in production rapidly. I have tried Kinoite in a VM, but I couldn't install something (which I can't remember), and that turned me off.
Oh I'm on Mint right now, because lazy, but it's acting up with a couple of VMs, which I need, I really don't have the time or desire to maybe spend two days troubleshooting, and I'm a bit fed up with out of date pkgs.
You get a rock solid base system that get updated automatically, and every single user has the same image so you can't get into a bug that's only reproduced on your system because of your combination of system packages. If for any reason you have a problem with an image update, you can always boot on the previous image from grub.
Then user apps come on top of that, and can't break the base system.
I know you tried Kinoite and got stuck, but there is always a way to unblock yourself and install what you want. If it's not in flatpak there is homebrew (for CLI), and if it's in neither there is distrobox. You can also do a rpm-ostree for native packages if all the others fail.
You can also check universal blue, Aurora in particular if you want KDE. It's based on Fedora Silverblue but with an improved out-of-the-box experience.
I have yet to successfully install the Private Internet Access client on Bazzite. It does a lot of system modification at runtime, which doesn't play nice with the immutable system.
There's definitely limitations like that one, so I'd say there's a solution for most, but not all cases. Hopefully, that will become a non-issue when bootc is fully ready.
Yes and no. WireGuard configs are still not something they offer, despite customers asking for the last several years. They have often said they would do it, but they have yet to deliver on that promise.
OVPN configurations are an option, but the main benefit of the client is the ability to change tunnel configurations on the fly. If there's something you want to change, such as connecting to a different endpoint, you have to go back to the website to configure that tunnel and generate the config.
So you basically get 40% of the service you pay for if you try to use PIA with an immutable distro like Bazzite (which is not the various distros' faults).
I'm not sure how it works with PIA, but on Proton I can export multiple configs, let's say 6 different ones with a combination of countries and other options.
Then I add them all into KDE and I can switch between them at will.
It's a slight extra cost of time at the start, but after that it's smooth and easy.
Their OVPN performance isn't as good as WG, so it's really just a backup solution in my mind.
But my main point is that there exist edge cases like that where "install it in a distrobox" isn't a panacea. You either have to learn podman and how to forward your network traffic through the container or learn how to pack your own flatpak/appimage/RPM.
Okay. There's no flatpak for PIA's client, so that doesn't help me, and I don't know how to create my own (not for lack of trying). Same deal with RPMs and Appimages.
Also, just FYI, the flatpak for ProtonVPN is unofficial, in case you weren't aware. Make sure to double check the source files.