(I work on Privacy Guides)
There is a big difference between a security feature being opt-in versus a security feature being missing entirely though. I will say full disk encryption not being enabled by default is a bit unfortunate, but I think that Microsoft and Apple only get away with it because they push people to use OneDrive and iCloud to backup all their files, so I can see why you couldn’t do that. Suggestions like disabling all unencrypted network requests make no sense really[1], and even in that case the first reply solved that with two lines of config 
On the other hand, many of the missing security features in Linux are not “hidden behind a switch,” they’re missing entirely, either because nobody has tackled those issues yet or by design. To be honest… There are really 3 main things I personally want to see (and they’re the ones I see the most people agree with too), but they’re pretty big things:
- Better verified boot… doesn’t make a lot of sense with traditional Workstation really, but with image-based distros like Silverblue where “the system” is actually a well-defined concept it feels more important. I don’t know if progress is being made on the Has Silverblue achieved Verified Boot? - #3 by siosm front?
- Better Flatpak sandboxing: Also, I don’t think it actually matters how theoretically secure Flatpak can be if unsafe configurations are allowed by default. The issues mentioned on flatkill.org with
filesystem=host/homeare still a thing as far as I’m aware. Users should — at minimum — be warned about something like this when launching these apps. - Better permission management. This is kind of related to the last point, but the OS needs to be much more proactive on controlling access to sensitive resources. Android and iOS of course do this, and I think macOS is the current gold standard of this on the desktop. Prompting users when an app tries to access sensitive folders like the Desktop or Documents, and requiring explicit configuration changes to let an app obtain full storage access; and prompting users whenever protected resources are accessed are all things that macOS does very well, and I think Linux needs to take it more seriously.
I don’t really know who needs to work on this stuff, Fedora? GNOME? Flatpak? Linux? 
I also don’t think user experience costs are a good reason to exclude any security feature entirely. More on that:
This Tor Browser example actually highlights the role I would like Fedora to have when it comes to downstream security distros. Tor Browser really benefits from Mozilla’s work on Firefox for nearly all of its browser-based privacy and security features, because patches like letterboxing, fingerprinting resistance, first-party isolation, etc. were pulled upstream into mainline Firefox, saving Tor developers a lot of hassle when it comes to maintaining their fork. In a perfect world, Fedora could have all of the security features a downstream distro might desire, simply locked behind opt-in preferences when those features would break other functionality.
…And if that is ever the case, then a security-focused Lab would be a great addition to Fedora. As you already noted the current “Security Lab” has this problem, but a Hardened Lab variant would be great. However it isn’t possible to do in Fedora’s current state because the security features we’re looking for aren’t a matter of tweaks you can make, otherwise we’d simply list those tweaks on Privacy Guides in the first place and call it a day like we do with Firefox.
There’s a lot of work to be done to get Fedora on par with macOS security, which is what I think the overall objective should be.
On a semi-related note… Every time I look at Fedora Silverblue I just end up wishing RedHat had invented snaps instead of Canonical, because containerized desktop and CLI packages with automatic, atomic updates is exactly what I wish Silverblue had, and would bridge the gap between it and Fedora IoT. I almost wish Podman would try and cover Flatpak’s use-cases on desktop, but I don’t think that will happen. With the state of how I see most people use Silverblue right now though (lots of unsandboxed Flatpaks and every single CLI tool inside toolbox), Silverblue kind of feels like the modern version of this classic xkcd.
Thanks for reading my ramblings… Thanks @joseph for letting me know about this thread.
I won’t argue that certain people in the so-called “privacy community” love to check every single box they can without contextualizing things, and have a very black-and-white view of privacy and security lol, but just to be clear I don’t think that hardening by default at the sake of everything else is anyone’s serious objective.
The OP states that “there’s a whole little world of people who go above and beyond their threat models to be as private or secure as they can be as individuals,” but IMHO the security concerns with Linux we mention (on Privacy Guides at least) are things that we believe actually impact real, everyday people. It isn’t “Edward Snowden-level” LARPing to want random apps sandboxed from all of my personal data. ↩︎