Nice.
BTW running:
systemd-analyze security
in a terminal looks horrible in Whonix-WS and Whonix-GW (Qubes), with basically 80-90% of services listed as UNSAFE or EXPOSED.
This command doesn’t consider security-enforced policies like SELinux or AppArmor though, so possibly/probably a lot of false positives, particularly for non-Qubes-Whonix thanks to @madaidan AppArmor hardening.
But I do wonder if there are some easy wins in the long scary lists i.e. can anything be disabled entirely (if not really a necessary service), or maybe there are some systemd security directives that can be used?
See also:
https://www.freedesktop.org/software/systemd/man/systemd-analyze.html
PS Pity about the shitty forum software that has borked our logins via v3 onion again. @mig5 … you’re our only hope 
PPS @0brand you still about? We should get the wiki thing happening again (bit short on time myself)