Looking for more opinions on this, I feel like this is above my pay grade.
So far I’m looking at these settings.
Their recommendation is enabling MOZILLA_OFFICIAL and MOZ_REQUIRE_SIGNING.
The MOZILLA_OFFICIAL setting, though oddly named, controls whether the build is considered a “release build” or not, which affects several behaviors. One effect of this setting being disabled is that telemetry can’t function. This will surely be a bug to some, and a feature to others, but here is one bug report Allow Firefox telemetry · Issue #121826 · NixOS/nixpkgs · GitHub
The MOZ_TELEMETRY_REPORTING setting can disable telemetry for release builds. I think we can leave this setting alone, and let users decide.
The MOZ_REQUIRE_SIGNING setting controls whether unsigned extensions are allowed. Enabling this setting is a security win for those who install extensions from AMO (mozilla.org), but would most likely break locally built extensions. From hanging out in Mozilla’s matrix chat, I’m getting the feeling that the default for this may change in the future, or the default could someday be based on the current MOZILLA_OFFICIAL setting, so it may be necessary to explicitly configure this if nixpkgs depends on it.
(Maybe related? 1712633 - Set MOZ_REQUIRE_SIGNING appropriately by default )
There seems to be no way to configure signature enforcement at runtime. As far as I can tell, that means either all users will get the same setting, or Firefox gets split into two packages.