The secureblue image I use disables numerous kernel modules, and enables many kernel mitigation argument.
The performance impact is minimal, hopefully that means a more secure system? I honestly don’t know, nor do I change the default recommended by the developer.