In security-misc we’re applying a lot security hardening configurations which are usually only mentioned in security guides.
Leaving that to users, security guides is a broken concept:
It seems very complex and unusual to me to have a user user already set up at this stage
Indeed. Though, we might be the first distribution to apply such security hardening by default.
That would be hard. We’d have to change security-misc implementation somehow. security-misc currently implements these things hopefully as easy and declarative as possible.
We also want that same security hardening when booting in live mode. And re-implementing it with live-config seems harder.