Fedora systemd hardening

All the VMs (KVM, Gnome Boxes, VirtualBox) I had created for compartmentalization following part of the security strategy of Qubes OS have been corrupted and compromised by intrusions. Fedora is considered a reasonably secure OS host by Whonix developers, preferable only to Kicksecure and Qubes. Windows and Mac are not considered optimal.

But, clearly, further security enhancements have to be implemented in Fedora Workstation. So I started looking into security auditing tools like lynis (systemd-analyze security).

What is the best way to harden NetworkManager.service [Medium] → [Protected], for example, while preserving functionality? Options for hardening systemd service units such as (there are several and which unit stops desired functionality and which unit improves security against a particular threat model is the question)
. . .
[Service]
ProtectSystem=strict
ProtectKernelTunables=yes
ProtectProc=noaccess
. . .
can change the lynis audit results to [Protected] but then the service is no longer functional. Wifi modules go unrecognized, connections can’t be established, VPNs won’t connect, etc.

I got lynis up to a 74 score but VMs still get pwned. What should I focus on to improve host security? Thanks.

How much is too much? I’m currently attempting to compile a series of tweaks from various projects for system hardening. I believe there are some tweaks that are easy (using NTS instead of NTP, Kicksecure’s kernel hardening, blocking GNOME from automounting drives), but there are some that could be disruptive (enabling DNSSEC or private /home/ for some).