Sorry - much not time at the moment. Should improve soon.
Security gurus @Patrick @madaidan @HulaHoop
Any easy security wins that Whonix/KickSecure has missed in this list below? I know a bunch won’t apply at all. Apparently mil, guvvie, paranoid corporates etc. use these lists.
https://static.open-scap.org/ssg-guides/ssg-debian10-guide-default.html
Table of Contents
Remediation functions used by the SCAP Security Guide Project
System Settings
Configure Syslog
Network Configuration and Firewalls
GRUB2 bootloader configuration
SELinux
Set Boot Loader Password
Protect Random-Number Entropy Pool
Account and Access Control
File Permissions and Masks
System Accounting with auditd
Installing and Maintaining Software
Services
Obsolete Services
APT service configuration
FTP Server
SNMP Server
Cron and At Daemons
X Window System
Network Routing
DNS Server
LDAP
DHCP
Samba(SMB) Microsoft Windows File Sharing Server
USBGuard daemon
Web Server
System Security Services Daemon
Network Time Protocol
Kerberos
Hardware RNG Entropy Gatherer Daemon
Application Whitelisting Daemon
Base Services
Proxy Server
Mail Server Software
IMAP and POP3 Server
Deprecated services
NFS and RPC
Print Support
Docker Service
Avahi Server
SSH Server
Introduction
General Principles
How to Use This Guide
(BTW Another good reference for hardening Whonix is the DISA STIG guides - there is one for Debian Linux 10, but you have to give an email address to download the free PDF - so no dice unless you’re keen. Pity, because US Department of Defense systems utilise those guides and they are very thorough. The Debian 8 version can easily be found online though; probably still very relevant)
Great! 
It’s time to immortalize your stuff which is frankly, awesome.