I’ve had NixOS absolutely refuse to run some compiler toolchain I depended upon that should’ve been dead simple on other distros, I’m really hesitant to try anything that tries to be too different anymore.

Yes, some toolchain expect you to run pre-compiled dynamically linked binaries. These won’t work on NixOS, you need to either find a way to install the binary from nix and force the toolchain to use it or run patchelf on it somehow.

if it’s being read from, it can be written to.

Why would being able to read imply being able to write?

Having an extra step or two in the way doesn’t make it “extremely secure”.

Well it can greatly improve security by preventing a compromised app to achieve persistence.