The very best option right now (and dirty cheap, ~$200 new) is to get an Asus C201P / Flip Chromebook. It uses a Rockchip ARM CPU, and if you disable 3D acceleration (which is slow anyway) and use an external wireless antenna, you don't have any closed firmware in your computer. Not even CPU microcode firmware.
This is unique. Of course, it's a machine targeted by Libreboot:
I guess that if you install GuixSD, given all binary packages can be verified against the source, and there are some decent sandboxing facilities you can get pretty great security.
At the moment GuixSD doesn't yet work on ARM. Not much is missing and you can use Guix as a package manager on top of some other variant of the GNU system, but GuixSD on ARM is not quite ready yet. Give it a couple more weeks.
This is unique. Of course, it's a machine targeted by Libreboot:
https://libreboot.org/docs/hardware/c201.html
I guess that if you install GuixSD, given all binary packages can be verified against the source, and there are some decent sandboxing facilities you can get pretty great security.