OpenSUSE microOS/ microOS Desktop (Aeon, Kalpa) does this.
They use a complete “changes go to the next system” thing also using BTRFS.
But they dont use OSTree so the system is fundamentally flawed.
Advantages of ostree are
complete transparency over package changes rpm-ostree db diff
complete transparency over /etc changes (the upstream is in /usr/etc and can be reset, see here
the OS is always based on a complete upstream remote, your local system does not matter at all. You can rebase, reset etc without being dependent on anything on the local OS.
Example: I could rebase from Fedora OSTree to CentOS OSTree. They are working on bootc images, which are bootable OCI images and in theory only one step away from uBlue-like distribution.
If you do anything relying on local package management like OpenSUSE does, you can snapshot between changes but still mess up.
So I would always base off OSTree.
What I dont get though is the reliance on reboots and images. OSTree works on all filesystems and doesnt need images, it is simply like a Git repo.
So what I would change is, to enable random local changes with a flag –direct and simply apply the changes live. I mean, that is what DNF and all the distros do too.
Only if you need a kernel upgrade you do stuff with a reboot. Version upgrades are also WAY better than the unstable mess on standard Fedora or other distros.
So track everything with OSTree, allow resets, rebases etc, but dont force all the image stuff. This is the reason why rpm-ostree takes so long and is so inefficient compared no DNF.
Just using OSTree you could only install RPMs, use a nonwheel user, SELinux confined users and have a secure and slim system.
I dont know if I miss something here. Android is rootless but the base OS is still immutable and uses A/B root, so writing only happens to the inactive partition. I dont know if immutability is some core security feature.
Rpm-ostree is really good as an allrounder, but I think a bit overkill. It does support installing packages live, but this does the same action afaik and just swaps the OS image without a reboot.