docs: clarify disablement of GNOME user extensions better (#364)

FAQ.md

@@ -67,10 +67,10 @@ If you still want to enable this functionality, run `ujust toggle-ghns`
 
 Xwayland is disabled by default on GNOME, KDE Plasma, and Sway. Use `ujust toggle-xwayland` if you need it
 
-#### Why I can't install any GNOME user extensions?
+#### Why I can't install nor use any GNOME user extensions?
 
-This is because support for installing them has been intentionally disabled in secureblue.
-Only system extensions are trusted, if they are installed.
+This is because support for installing & using them has been intentionally disabled by default in secureblue.
+Only GNOME system extensions are trusted, if they are installed.
 
 To enable support for installing GNOME user extensions, you can run ujust command:
 `ujust toggle-gnome-extensions`

README.md

@@ -44,6 +44,7 @@ The following are not in scope:
 - Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
 - Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup>
 - Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
+- Disable install & usage of GNOME user extensions by default
 - Use HTTPS for all rpm mirrors
 - Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
 - Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries)

files/gschema-overrides/zz1-secureblue.gschema.override

@@ -1,4 +1,4 @@
-# Disable GNOME user extensions installation
+# Disable GNOME user extensions installation & usage
 # Only GNOME system extensions are trusted if installed
 
 [org.gnome.shell]