I was more thinking that, in theory, anything you install and run could be compromised from the get go. With enough prep, any distro could be replaced with a compromised version on the fly and you would have no way to tell. Any tools you use could similarly be compromised to give you untrustworthy output. It would require a heck of a lot of investment, but not beyond the scale of nation states, and would be pretty scalable.
I was more thinking that, in theory, anything you install and run could be compromised from the get go. With enough prep, any distro could be replaced with a compromised version on the fly and you would have no way to tell. Any tools you use could similarly be compromised to give you untrustworthy output. It would require a heck of a lot of investment, but not beyond the scale of nation states, and would be pretty scalable.