Should be considered for Whonix and Kicksecure.
After a package is installed (perhaps as a dependency) not all systemd unit files should be enabled automatically to reduce attack surface, more efficient RAM use and better performance.
Configure systemd units to not be enabled by default.
We’d ship a systemd preset file to explicitly enable any default service that we install by default and want to be enabled.
Users who do
sudo apt install nginx though would be left annoyed and confused why they also need to run
sudo systemctl enable nginx,
sudo systemctl start nginx (or some combined command, if existing).