Well, the desktop stack is more or less PoS one way or another, regardless if Mate, Cinnamon...
If i was to somewhat 'trust' a desktop, that would be Gnome, in the sense, that's where the $ is,
and also, besides funding, from what i'm aware, at least a few sub-projects of it explicitly & frequently,
test their code for potential vulnerabilities etc etc...
This goes slightly off-topic, and it's partially addressed to rene - as it is recent enough
I didn't commented in that thread there, because the main 'discourse' seemed to be among the lines...
if browser is updated, then all is quiet in the western front. It absolutely certainly isn't.
Ie. find me a simple common unsuspecting end-user who won't download video files from public trackers.
And note we're talking about...VLC here, 1 billion downloads, widely reviewed, has also received EU money for bug testing.
So, if talking about...random player fork of another random player hosted somewhere in github, well, yeah...no comment.
Could claim the very same thing for most common desktop utilities / functions actually.
PDF browsers, archive extractors, image viewers, and what not.
And if you add on top the not-so-great vulnerability history in ghostscript, imagemagic, zlib etc...
There was a relatively interesting
paper few yrs paper ago.
Pretty much what it said was that...hey, such kind of past Windows-alike nonsense / vulns
(JpegOfDeath, WMFexploit, TTF exploits), are hugely ignored by the modern Linux desktops.
People download pdfs, jpgs, fonts, avi or mkv files and what not...
so it's certainly not "keep the browser updated, and all is more or less well".
That's a serious under-estimation: ALL input from the net should be treated as untrusted in the first place.
And please note we're talking only about improper file format decoding here.
Ie. myself, i'm actually fairly confident that besides the .desktop Win95-alike bug above,
various kinds of early / mid-00s Windows-style fileformat parsing / decoding vulnerabilities,
must be lurking in the various desktops, forks and their sub-components at this or that stage of development.
Due to lack of interest in x obscure graphical linux software...it's just that probably no one notices them.
To make myself clear: i trust the kernel enough, and the well-known server/cloud software & underlying libs used in the industry.
The rest - i merely trust that they aren't backdoored if coming from official repos, nothing more or less.
Outside such, i always (try to) manually check / verify any file that i download...
In that sense, (and obviously retracting / apologizing if you will for my previous statements having misunderstood such),
the only 'hope' would be as smurphos suggested to re-open the discussions about such over at Github...