It doesn't "protect" the system from users because it's specifically designedto allow installing custom packages (even customised builds of existing packages). What it does is it provides complete traceability of the system files, reproducible installation/imaging and even multiboot into several different versions/commits. I like it

Going through the hassle of setting it up in a way that allows easy rollback using a flat hierarchy and a bunch of fstab mounts (in the case of BTRFS at least) if your distro hasn't done that for you already, fiddling around with system state, figuring out which directories to exclude (as they may include only log files or caches and backing those up may end up being either a waste of space or could cause a loss of useful information in case of a rollback) and ensuring you don't accidentally lose any modifications to your system you made after a snapshot on rollback. Also not being tied to either BTRFS or ZFS.

Do all these variants support Wayland as the default and mighty Gnome one?
If not.. yuck!

there is a difference when you think of a trojan horse or virus... is something has a security hole and want to manipulate files on your system... a immutable system makes it extra hard for a virus/trojan to manipulate system files for install a keylogger or something like that.