Re: the system packages for most distros are totally open by default.
The way I see it is that no operating system is totally safe and while Linux does make an attempt, in most distros that I've used over the years, to keep itself secure on installation, there are all sorts of reasons why you can never count on complete safety.
Most of those reasons relate to the people running the systems in question. Just as it is possible to construct a Windows system that doesn't rely on a user being logged in as admin all the time, it is just as possible for a Linux (or MacOS) system to be compromised by a user that insists on being logged in as root or has their own account added to the root group.
It's the reason why some distros are so keen on using sudo rather than encouraging a root login. You take control for as long as you actually need it and no longer.