Unified Kernel Images sounds like a useful improvement. I imagine that when combined with whole-disk encryption it provides useful protection against evil-maid attacks, but I haven't been able to find any signs that there is any Linux install in existence anywhere--except for Android and ChromeOS--where the boot process can detect an alteration to a file in /usr/ (e.g., the system's C library) and refuse to boot or at least warn the user. Unlike an evil maid, malware that has succeeded in its goal of running in a privileged process can alter any file in the unencrypted root filesystem.
In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.
In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.