Realistically though, there are probably exploits that the NSA/CIA has on Linux, even with the pseudo-like security that PaX and other kernel modifications do.
Might I remind you of Linux's TCP stack which had a huge CVE in 2016. Extending from non-kernel space issues, Linux has a load of badly written programs that still many people use, user space security on Linux is quite minimal, programs can interface each other with ease, and it does not require sudo. For a long time how Xorg was launched in most Linux systems posed a high security risk.
Until there is a formally verified kernel that is sound proof in terms of security, (which there are, but they do not do much (for general computing), see most real-time oriented kernels), and user space applications which are by default no matter how badly written are safe in terms of security, then consider that any security you have can and will be broken eventually. (Assuming that the hardware is not backdoored, see RDRAND. Even a formally verified system would probably susceptible to hardware based attacks, "physical access total access.")
It sort of goes with the saying, "your threat model is worthless given amount time and the right resources."
That being said, Gentoo has more fine grained control, you start out with nothing and build your own stuff, but then again I doubt each time you install a package or there is an update you audit that package.