Security should be the default, but instead a lot of security features are optional things we have dig through docs to set.

TPM support is getting more common, using it should be too. Detected during install? Set it up as part of LUKs during install, and enable a password, and provide option for TANG (both usage or deployment).

fscrypt should be enabled by default and keys set by logical differences of file types. (Yes on top of LUKS). Honestly setup following selinux profiles and per user is a reasonable default. Hardware wrapped keys should be default.

Encrypted memory an option for this CPU? Enable it. Features for multiple key memory encryption? Enable it. Encrypt on a per VM and per container level by default.

Each service should be containerized, connections made explicit (ideally with l7 rules, l4 at least). If a user want to tinker with have a dev mode that opens that service up, with expectation that it’s temporary (track and warn user when active). Each service should run as it’s own non root user.

Each application should containerized. Wayland should be default to minimize shared data. Access by apps should be explicit and user approved and user configurable. Application should never run as root and escalations should be temporary and explicitly approved by the user. Application to the network should be explicit per connection and l7 aware.

MACSec WPA3 pki should be available during install. Wireless WPA3 PKI option should be default on wireless setup. IPSec/Wire guard VPN/Tor should be available option by default on setup. Vlan tagging should be available options on setup.

FIPS or equivalents should be enforced by default. Old encryption methods/cipher/etc should require explicit approval by the user.

Selinux should enabled by default and selinux tagging should be exposed in user applications, so users can choose the security levels, privacy tags (medical or tax docs or etc), or pseudonym access they want.

Sudo should be setup by default for least privileged roles and not god mode access. The combination of those into a single user could look indistinguishable but it should be set and ready for adding users that are limited in scope.

Encrypted backups following the 321 rule (at least 3 backups, 2 different types of media, 1 off site) should be the default and configurable on install. Schedule and triggered backups should be frequently (ideally constantly backup, with snapshot ting being periodic).

Multiple factor logins should be the default. Support for smart card, key fob, OTP, biometric, plus password built-in and encouraged on install.

Number of known CVEs for hardware, packages, and configurations should be tracked and obviously available for privileged users. Hardware missing for full best practices (like TPM 2.0, memory encryption support, etc). Software source should be kept easily accessable to users for remove and modifications. Software should adhere to SLSA build practices, exception explicitly choosen the user.

Systems should be immutable with expectations being explicit to the user and triggering snapshot ting.

DNSSEC and DNSoTLS/DNSoHTTPS should be default and configurable on install.

NTS should be default for NTP configuration. Hardware time sources should be configurable on install.

Applications should be privacy preserving by default (not defaulting to Google for example).

These are just off the top of my head stuff, stuff I had to annoyingly learn and set up myself to harden systems instead of it just being part of sane defauls. CIS bench mark has more controls that should be set.