Let me list the counter arguments to the proposal (to include a new field
PREFER_HARDENED_CONFIG) so far:
* The packages should be deploying a secure configuration by default.
Counter-argument: Yes, but they don't. There are obviuosly competing interests
and sometimes convenience wins.
To what extent a machine is locked down is a policy choice. There are
already loads of tools available to manage policy so this really doesn't
belong here and if you want to ensure that your fleet of machines are locked
down through something like PREFER_HARDENED_CONFIG=1, you're going to need