Recs.
Updated
SpecsUpdate
Pros
Cons
Con MAC spoofing at login unrequired
MAC spoofing at login, unless it is in some way exceptional, should be unrequired, as the widely available macchanger for Linux can accomplish this on the fly.
Con TAILS encourages a destructable installed OS
The strength of live-booting USB isos is in their destructibility: if the OS or any part of it is compromised or damaged, it can be reinstalled and up again with a matter of minutes. For this purpose, an exportable persistent overlay is adequate for storing user customisations to the interface. Most distros, including security or anonymity distros, instead encourage long-winded installation from one device onto another, full persistence or encrypted persistence, and so on, or require all this or produce a working article (Fedora can currently only be installed with persistent overlay by command line installing it from an installation of Fedora, whatever the guides claim). The grail of a security distro should be an ideal configuration and built-in persistent user changes for minimal customisation (see Pentoo for an example) that works out-of-the-box and can therefore be reestablished rapidly and on the go - not a precious installation the outcome of weeks of work and saved data. The only other option is to collapse a custom state down to a new iso, of varying difficulty but easier in Debian than some.
Con TOR bridge option at login should be unrequired
Tor bridges are setup at Tor launch by the Tor Browser - so why insist this be a login option? Until recently, the Tor Browser in TAILS was also hard to restart should it fail as it Torified the OS and connected to the network - though this should have been as simple a process as it is in Windows or Linux when using the TBB, since TOR regularly fails at startup.
Con Limits user control
Limits user control profoundly, by intention. It would be better to have a hardened base distro with comprehensive software security options that encourages user knowledge and interaction without over-technicality (Tor does not have to be difficult to configure; VPN/VPS does not have to be difficult to setup or overly commercially dependent, and even has some GNU VPS options for those in the activist camp, but is essential on now widely used airgapped connections; simple custom interfaces for toggling TOR, MAC spoofing, user agent switching, etc., are not impossible).
Con Limited hardening of Debian, which is widely available 'unhardened' and difficult to secure.
TAILS appears to opt for AppArmor in this regard. SELinux is more powerful but difficult to implement, grsecurity, which is still widely discussed, is now commercial and cannnot any longer be patched for the Debian kernel - and unfortunately, no one ever laid down a hardened Debian distro.
AppArmor is hard to implement, in fact impossible for anyone without weeks to spend on each application that must be secured, and is not a kernel hardening procedure. The guide to hardening Debian is a vast and intimidating document (available at https://www.debian.org/doc/manuals/securing-debian-howto/); for a look at actual hardened kernels, one has to observe hardened Gentoo, Fedora, or the likes of Alpine Linux (see its out-of-the-box secure kernel here: https://alpinelinux.org/about/. None of these quite match the software, user-base or GNU freedom of Debian - though TAILS specifically advises against installing additional software which would be impossible for the average user to secure with AppArmor.