Nice overview, don’t want to contest anything you said, just add my 2 cents to it.

The truth is the lines have gotten awfully blurry the past decade. It’s not just about FHS(basically a standard how the file system is laid out, where binaries go etc) getting more or less phased out(there are dozens of places where binaries can end up these days for example) but also some deeper changes of how we run software on these distributions.

Frankly arch and cachyos(which is a arch variant, yes it has optimised packages, but so does opensuse, it’s just a decision to leave behind compatibility with older hardware, not some inherent magic) belong into the standard Linux distro bin for me, they do nothing special or noteworthy beyond being competently implemented. They are not really different from Debian, fedora or Ubuntu, you can install those just the same manual way you do arch. Yes arch is rolling and others are release based but opensuse shows how there isn’t that much difference between the models, they run both on the same package base, as did Debian with its sid repo since forever.

Then we have gentoo and yes it is a bit special even today. The idea behind it is that you compile your own packages instead of using a binary repo. But why? The answer to that is that when you compile a package from source you have a vast influence on the resulting binary, for example by giving instruction to the compiler, that’s how cachyos gets its optimised binaries. But another even larger influence is by using configuration options built into the package by its developers. For example to disable or enable certain parts of the code. What gentoo did was collect and categorise the most common of these options into what became known as use flags, a system configuration that affects every single package built on that system. If you add the -dvd use flag it will strip dvd support from any package that has it. Or maybe you don’t have a printer -cups will remove cups support from all packages. This doesn’t just not install cups, it removes the very support of cups from packages that would otherwise interact/look for it in some way. This has obvious security advantages and is where the notion of gentoo being a lean system comes from, you’re stripping out entire functions of code from your binaries. If there is a bug in a certain OpenSSL mode that’s included in all binaries shipped by other distros, but you have deactivated all modes besides the one you intend to use, you are not affected by the bug. The idea behind gentoo is a kind of customisation that goes beyond the package layer, you’re no longer just choosing your individual packages but also the options of these packages.

As for the others, immutable, declaratives, cow or a/b root distros… that’s where the lines are getting blurry. The declarative like Nixos are very different in their implementation, but then again, you can use the nix package manager on other distros and we have been using docker containers set up declaratively via compose files for years by now. Likewise the immutable seem very alien, until you realise that they are only divided from their normal counterparts by a very thin line, important yes, but thin nonetheless. There is a reason these new distros get spearheaded by the old guard, a fedora workstation distro is very similar to a fedora silverblue immutable and from opensuse tumbleweed it’s a very close step to opensuse microOS. It’s mostly different default packages and some config options with an added package or two. Sure they seem very different, but just because you bolt the hood of your car closed doesn’t fundamentally change it does it?

These days I’d say gentoo is for learning. Not just about Linux but about interacting with source code and learning about the individual software you choose to install. The optimisations frankly matter less these days, sure you can optimise for speed or size of the binaries but are you going to be able to tell on that 12 core machine with 2 TB of nvme storage? No, not really. Security through a lean system might be nice, but there are specialised distros that already do so and you can run software in their own namespaces, control them via SElinux, put them in jails, bubblewrap them, containerise or VM them, hell even flatpak them, all probably more effective ways of archiving security.