Note: I'm discussing desktop GNU/Linux in my response. If you run a server exposed to the Internet, you or your administrative team should have the knowledge needed to make it secure. If not, you proceed at your own risk.
No, Desktop GNU/Linux not just like Windows. You're only unsafe if you don't learn and follow best practices in GNU/Linux. Always create and use a regular (non-root) user account for daily computer use. In most distributions, when you run the installer, it creates a user account as well as an administrative account so you can perform non-privileged activities such as surfing the Internet and using email,etc. When you install updates, you will be asked to enter your administrative (root) password. When you perform any administrative activity (changing system configuration, editing files not in your user-space (under /home/[your username]), etc.
Alternatively, many distributions allow you to bypass creating an administrative (root) account, and adds your user account to the wheel group so you can use the sudo command in the terminal while graphical software requiring administrative permissions will ask for your user account password (my preference).
As for exploits, crackers find software security weaknesses they can take advantage of by creating scripts or apps they use to exploit those weaknesses. In GNU/Linux most such vulnerabilities are discovered and patched in time frames measured in days or weeks as opposed to Windows where the time frame can be measured in periods as long as months or years.
When it comes to targeted attacks, crackers don't usually target the average desktop GNU/Linux user. Notable exceptions include government employees, users who work at organizations with an Internet presence, and who have administrative access to the organization's Internet-facing resources.
As for outdated software, most GNU/Linux distributions provide regular and frequent software updates, It is the responsibility of the user to perform frequent system updates. Note that when you perform an update on your GNU/Linux system, all the installed software will be updated (system and applications) provided you install software using only your distribution's software installer (no third-party software).
Regarding social engineering, I trust nothing coming from the Internet. I delete email messages coming from senders I don't know, and before I click on any link in messages from sources I know, or on websites I visit, I check that the URL a hyperlink will send me to matches its label. I use the Thunderbird email client, and the Firefox web browser. Both display the URL of a hyperlink in the status bar at the bottom of the window or in a pop-up dialog/bubble.
Admittedly, GNU/Linux has a few security issues, but they are very difficult to exploit if the system is correctly configured, and the majority of distributions correctly configure your system for you at install time. Unless you use SSH or something similar to connect to external computers/servers over the Internet, your system should be very secure out of the box. I don't use SSH here and I don't know how to configure it, but if I ever need it, I'll take the time to learn how to make it secure for my needs before opening any ports for it.
The bottom line here is that GNU/Linux is significantly more secure than Windows following installation. Both OSes are at their most secure when they are properly maintained and kept as up to date as possible. I dual boot Windows 11 with Garuda GNU/Linux here, and I like both OSes, although I find that I have significantly greater freedom to customize my GNU/Linux User Interface to my liking than I have with Windows 11.
Ernie
