You could argue that the scope of security-misc should be limited and that cold boot attack defense should be a separate package instead. Then security-misc could disable kexec and cold boot attack defense could re-enable it.
That would allow cold boot attack defense to only be enabled on host operating systems. It would get installed on Kicksecure host operating systems by default but could be omitted in VMs (as it seems it’s not useful there except for development and testing).
spec_rstack_overflow=
[X86] Control RAS overflow mitigation on AMD Zen CPUs
off - Disable mitigation
microcode - Enable microcode mitigation only
safe-ret - Enable sw-only safe RET mitigation (default)
ibpb - Enable mitigation by issuing IBPB on
kernel entry
ibpb-vmexit - Issue IBPB only on VMEXIT
(cloud-specific mitigation)