Should we not look at securing services on Proxmox
systemd-analyze security - gives out most as unsafe... any ideas
You will need to understand what systemd-analyze security does and what's not. It's NOT a general purpose vulnerabilities scanner like lynis but it checks whether the systemd files use certain sandboxing features of systemd. The idea is that you lock your service in an environment where a lot of things are not possible even if in theory the service (or an attacker taking over the service) has the permission to use them. For example I might setup a webserver which runs under the user www-data. The served files are inside the /srv/www directory, which has read/write permissions for the user www-data and every member of the group www-data. Although the users needs write permissions (otherwise they couldn't add new pages) the webserver don't need them, he only needs to read them to serve them to the internet. Thus I could use a systemd directive that this folder should be read-only for the webserver. Now if an attacker manages to manipulate the web server he still wouldn't be able to write files to /srv/www
Of course this will only work as long as there isn't a vulnerability in this part of systemds sandboxing mechanisms.
Lennart Poettering (one of systemds developers) published a blog post on it:
https://0pointer.de/blog/projects/security.html
A shorter (and therefore less complete and detailied) introduction:
https://0pointer.de/blog/projects/security.html
And of course the manual pages of systemd
The majority are low hanging fruits that should work with most programs without causing problems. They are not enabled by default though since in the end the softwares developers should know which permissions are needed by their programs and which are not. Thus it's actually the job of the developers to provide hardened service files
Sadly most projects don't know or don't care about this and thus use still the less secure defaults. A sysadmin however can use systemd overrides, for additional hardening but he will have do do thorough testing to make sure that everything still works.
Coming back to proxmox: Propably proxmox services could also be hardened, but I doubt that there will be much gains. For example the PrivateNetworks directive bans a service for using the network. This is useful for e.G. a service which will only talks to other services on the same machine. For proxmox cluster services this wouldn't make sense obviouvsly . And I guess that this might be true for most of the remaining directives.
On the other hand there are some directives which might work even then. But this would be needed to investigated.
Guess I should open a suggestion ticket in proxmox bugzilla or write a mail to their security contact on this
In your case I wouldn't worry to much, if you followed LnxBils hint on the firewall (combined with another firewall on the network level so even in case of an security issue with the PVE firewall you will still be save), backup, sso etc you are better off than many homelabbers AND companies.