912 B
GNOME is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications. It's primarily for this reason that GNOME images are recommended. KDE has plans to fix this.
Also, while the Bluefin-based images have GNOME, they can't be shipped with hardened_malloc. This is because they are rechunked, which exposes an ostree memory bug. They instead ship with hardened_malloc-light to mitigate this issue. hardened_malloc-light is a security downgrade compared to hardened_malloc, and for this reason the Bluefin images can't be recommended. Stick with the listed recommended images for a maximally secure experience.