> I don't think this is a big reason Gentoo users use Gentoo.
Exactly. The two most compelling reasons to use Gentoo are/were: 1) It's a rolling-release distribution and 2) it offers customization by virtue of building from source. I don't think I've seen the argument that it's more secure--not seriously anyway. I used it back then because I wasn't a huge fan of Linux and Gentoo seemed more familiar to me with its ports analog.
Perhaps part of the OP's confusion is the hardened profile (or similar)? I'm not sure considering their wiki currently advertises it as risk mitigation [1], but I haven't used Gentoo in probably 6-7 years (at least not consistently outside a VM) so my memory on this is likely wrong.
To clarify: Gentoo did no harm. Many Gentoo users cited the risks of prebuilt binaries in their evangelism of Gentoo. That perceived risk remains an undercurrent in people’s thinking today, even though we’ve generally since realized that prebuilt binaries aren’t the risk we were led to believe they were back then. I blame the Gentoo evangelists of yesterdecade for this persistent “anti-binary” mindset, not Gentoo itself.
Never trust a source code repository more than you trust the people who commit it and the channel you downloaded it through.
Autoupdates from a source repository that you don’t review before accepting updates are no safer than autoupdates from a binary source.