Qubes has recently gained a following among privacy advocates [google.com], notable among them journalist J.M. Porup, Micah Lee [micahflee.com] at The Intercept and Edward Snowden [theintercept.com].
Embodying a shift [invisiblethings.org] away from complex kernel-based security -- and towards bare metal hypervisors and IOMMUs for strict isolation of hardware components -- Qubes seals off the usual channels for 'VM breakout' and DMA attacks. It isolates NICs and USB hardware within unprivileged VMs which are themselves are a re-working of the usual concept, each booting from read-only OS 'templates' which can be shared. Graphics are also virtualized behind a simple, hardened interface. Some of the more interesting attacks mitigated by Qubes are Evil Maid, BadBIOS, BadUSB and Mousejack. [mousejack.com]