If I am right about this, this is going to be more for servers rather than desktops. I have not had any security issues while using Linux (and granted, same for Windows and Mac). I use a combination of Pi-Hole (network) and NoScript in Firefox to help me stay safe online.

The scope is all the system services listed in the change proposal. It includes a number of desktop oriented services.

Nice. As a Kubuntu user, it's been dismaying how few lines in the systemd-analyze security output have an exposure score less than the 9.6 which seems to be the default.

Definitely make systemd larger by hardening it, which is needed because it is so big and complex! /s :P

Systemd suffers from a common syndrome of not wanting to break existing applications, so enforcing reasonable restrictions with new defaults are not implemented. The applications I have built tend to have a score of approximately 1, but that is due to careful analysis, which typically requires upstream interest (and all too few care about security).

Admittedly I haven't looked up which services this will apply to, but I can definitely see a couple of desktop services that could benefit from this: avahi, cups, pipewire...

I assume most general purpose distros are that level by default. I talked to some to some of the folks involved when putting together this proposal and they consider it more desirable but are reluctant to restrict services too much by default since it is hard to do this without causing breakages during upgrades especially for random services that aren't provided by the distro that the user may be running. Hence the compromise of limiting these settings to only default system services for this release and applying settings on a service by service level. For your own system, you could very well go the other way around and restrict it much more heavily ie) say you are running ntp or chrony or whatever, you can set that to have ProtectClock=no and use a global drop-in with ProtectClock=yes that applies to all the services, rinse and repeat for all these hardening settings. However, if you rather wait, hopefully in a few months, atleast some of these settings go upstream and you and other distro users can get these changes.

Not for PipeWire since it is a user service in Fedora and I am only scoping the change to only default system services for this release. Avahi and cups on the other hand is listed in the change proposal.

This will protect desktop home users equally. Anyone can be infected by a rootkit and this helps to mitigate some risks with the init process that have been around since the dawn of computing