1. Protect users from attackers external to the computer
2. Protect users from attackers who are other users on the computer
3. Protect users from applications run by other users on the computer
4. Protect users from applications they themselves run on the computer
5. Protect unprivileged (non-root) users from their own actions
6. Protect privileged (sudo/root) users from their own actions
OSes have been historically OK at 1-3. Not great or even good. There have been a lot of remote code vulnerabilities and local vulnerabilities over the years.
OSes have pretty much ignored 4 until maybe a decade ago, and are making token progress toward it, but I don't think many of them take it very seriously.
OSes have instead started to crack down on 5-6, which I'd argue isn't even the job of an OS.