Most linux distributions can be run on read-only filesystems (same as from cd) BUT the only true security hole is running them as root, because volumes can be remounted in rw mode on the fly. I'm using this strategy on my raspberryPi that is running the game console emulators for the kids. They don't do no shutdown, they just pull the plug/wallwart. Roms are stored on etx4 USB, mounted read-only. This one is just mounted in rw mode on the PC, to manage the roms and emulator binaries.
Just make sure you run linux as unprivileged user. Privilege escalation is a thing though, but unlikely on patched systems. However, when you're not connected to the net, i doubt there is a fair chance of catching a successful exploit via USB.
Again, your postulated security described above is utterly dependent upon the rando USB device implementing only a storage class endpoint.
Whatevs. Good luck with that.
I would care less if i am running as unpriv. user on a system that is not network connected. I didn't mention that i'd never use a host with actual user data on it. I thought that would be clear because i was replying to Dabs' "frozen sysimage" approach. I would definitely not use a guest VM but a dedicated box that i can reset via dd or similar disc imaging tools, i wasn't clear on that, as i just recognize while typing this.
And yes, it's part of the very basics: there is no 100% security, only 100% security against certain (and therefor known) attack vectors.
Im gonna say this one last time. Your postulated recovery is weaksauce against anything other than a disk-resident vector.
dd aint gonna do nothing for you if malware-containing USB infects the BIOS.