How does installing packages or configuring software work, if system files can’t be changed?
On reboot. You install your changes into a separate part of the filesystem that’s not running and then “switch parts” on next boot. Different distros do this differently. Vanilla OS has an AB system which basically works like Android does it, openSUSE uses btrfs snapshots and Fedora also uses btrfs I think but they got a more complex layering system on top.
I get that there’s a security benefit just in that malware can’t change system files – but that is achieved by proper permission management on traditional systems too.
Is it though? All it takes is a misconfiguration or exploit to bypass it, so having several layers of protection isn’t a bad thing and how any reasonably secure system works. And having parts of your system predetermined as read only is a comparably tough nut to crack.
It will stop a lot of people from entering random commands they googled up though.