The kernel lockdown feature looks interesting.
For instance if I have a usb attached as sdb and I navigate to /sys/block/sdb/device/driver and do a ls then it shows sym linked folders.
I can unbind that using
echo "2:0:0:0" | tee /sys/block/sdb/device/driver/unbind
(in my case) and sdb (usb) is no longer bound in that kernel session.
If I alternatively do that via /sys/bus/pci/drivers/ehci-pci (and do ls to note the device, 0000:00:12.0 in my case)
echo "0000:00:12:0" | tee /sys/bus/pci/drivers/ehci-pci/unbind
Disables it, but then I can rebind it again
echo "0000:00:12:0" | tee /sys/block/sdb/device/driver/bind
At least that is the case for Fatdog.
lockdown I presume (haven't checked it out yet myself) can prevent access to the likes of the above. But with greater security comes restrictions. I assume with lockdown enabled then it fixes things at bootup and you have less in session (userland) flexibility - even as root.
Personally I prefer the physical approach, plug and unplug a usb stick, and best if you use two sticks, one for boot, the other for data (plugging a boot stick into a potentially compromised running system risks that sticks OS files also being compromised).
If you go down the physical (hard) approach path, then there's no real need (from a single user desktop system perspective) for lockdown. If you use the lockdown (software) approach and attached devices then as ever there is risk of bugs/work-arounds, either present and unknown (or known but not fixed), or yet to come (later releases that fix one problem/bug, but introduce others). Of the two the former (physical) is the better IMO.
I boot Fatdog from usb, that is unplugged during init, isolating the MBR/bootloader/kernel ...etc. I only ever save after making changes from a clean cold booted system (nothing else before or after). Otherwise boot that known 'clean' system, no system changes/saves, and save data separately (incremental saves of data, with off-site copies also being stored). For sensitive operation, such as online banking, boot a clean session, go direct to your bank, nowhere else before or after, cold shutdown afterwards.
Great to see EasyOS having moved in the direction of supporting that style of operation (ability to run totally in ram and leave no remnants)