It’s interesting. I see your point. But I am wondering how it could be misunderstood. Or made better for wiki enhancement. 
Straw man: I am not sure it’s productive to call it that.
Generally speaking, there are so many implicit assumptions, that it’s easy to talk past one another.
Related, you might also enjoy:
- Finding Backdoors in Freedom Software vs Non-Freedom Software
- Host Operating System Selection Wiki Page Discussion
- and Mobile Operating System Comparison
Attempting to describe freedom security better, how can the software vendor exclude itself from need to be trusted as much as possible? A development goal which is hard to describe. “Giving the user security from the software vendor.” Quoted from the last link:
Prevention of targeted malicious upgrades. [25]
As in singling out specific users. Shipping malicious upgrades to select users only.
Most android phones have a feature which allows to login on google play web/desktop version using the same e-mail address which is used on the phone. Usually the same gmail address. When clicking install for an app using the google play web/desktop version, the user will be prompter (in case of having registred multiple devices) on which device the app should be installed. After pressing install, the app will be installed on the phone. This video [archive] demonstrates this. It is therefore established that the google website can result in remote app installation on the phone. It follows that a coerced or compromised google play website could do the same. Since the gmail based web login can be linked to the same gmail address on the phone, pushing targeted malicious upgrades is esspecially easy. Even if a phone was always fully torified (all traffic routed over Tor) the gmail identifier could still be used. While Tor can anonymize the connection, it does not (and should not) attempt to modify anything inside the traffic (the gmail identifier).
Linux distributions usually do not require an e-mail based login to receive upgrades. Users can still be singled out by IP addresses unless users opt-in for using something such as apt-transport-tor which is not the default.
Kicksecure / Whonix:
All upgrades are downloaded over Tor. There is no way for the server to ship legit upgrade packages to most users while singling out specific users for targeted attacks.
Reproducible builds further go into that direction.
Other later hopefully coming steps in the freedom security ecosystem would be fixing security vulnerabilities, systematic audits and then somehow also slow down the speed of development, potential vulnerable code being (re-)introduced after audits.