If I recall correctly from the last time I saw this posted, the problem with projects like this that they rely heavily on very small teams making sure that every security update gets included from upstream, often not a simple task. Privacy from Microsoft is important but if you’re running an insecure OS then you may as well not have privacy from anyone.