Correct, nobody knows Palemoon’s vulns, only documented Moz CVEs, plus NPAPI plugins and unsigned extensions. What could go wrong.
I agree about forums. The USA gov pays trolls to mislead on security topics. So study and think for yourself. Web browsers are favored targets, being easy to own. The larger story is front companies (cf. Insurge findings) and prepurchased trapdoors like Apple’s goto-fail and blank root password “bugs.”
Brave forks Chromium with privacy/security mods; Tor Browser forks Firefox with privacy/security mods. These are the two main privacy/security contenders based on the two big browsers for Linux.
As Brave stabilizes, Palemoon destabilizes with architecture revision. A year ago it was the rendering engine. Now it’s Basilisk. Palemoon has code churn. Now isn’t a time to call it secure.
Palemoon and Tor Browser both forked Firefox. If you want a secure XUL browser right now, it’s the latter. Unlike Palemoon it gets active help from Mozilla and pentesting.