Qubes systems can keep things like cameras and mics effectively beyond the reach of remote attackers while running Linux and Windows apps.
The core of the system is a pairing of Xen and X11/Linux which isolates the graphics, network and other risky services into less trusted domains. The result is that the trusted X11 can always show you what security context a window or other graphical element represents, even if the untrusted X11 in a VM becomes compromised-- You can't be tricked into thinking a malware element is really a part of the core OS.
And that core OS allows you to (graphically or via CLI) sequester or assign hardware resources to various VMs; You can see at a glance if an untrusted or risky VM still has access to the mic and remove that access with a couple of mouse clicks.
Of course, you still have to trust the hardware and firmware you got from the PC manufacturer.