That seems like a super weird take to me.
See below.*
For another perspective "Fedora Linux" is widely regarded as the shake down / end user testing for what ends up in RHEL.
I do not think it's a good analogy, Fedora is basically exploring around (consider the flavours like Silverblue even) and overall appears to me rather independent (they stick to BTRFS last time I remember even as RHEL ditched it altogether for the reputational risk).
The current Proxmox approach of "no-subscription" and "enterprise" repo seems to broadly do the same kind of thing.
* So that was a hypothesis, but how else would one explain it's not called something that gives away the fact that it's beta. I understand there's testing one officially (should be called unstable), but when new features are implemented on the mailing lists, lots of times the alpha is like "has anyone tried this - oh yeah it worked ok in the default config, let's ship to no-subscription" - I do not think repo name was chosen as a coincidence. The price you pay is being (arguably) involuntary beta tester. It's one thing to have a no support or community flavour of something, it's another to end up reporting regressions that even basic automated tests would have revealed if it was led more rigorously.
For a Hardening guide, it'd make sense to have a pretty prominent item about "Get a Proxmox subscription and use the Enterprise repositories".
That's the thing, the enterprise label is there to imply it's really necessary if PVE is meant as business critical, i.e. should not be risking running no-subscription - no one should get fired for CVE fallout if they paid anything "enterprise", right? But it really does not offer anything more than best-effort SLA. Again, hardening in this sense would serve what purpose? To have it open to the internet? Something it was never designed for ...
Just read through
the entire thread you're using as an example of someone being mocked and scapegoated for even asking.
Um... is that the right link? I'm not seeing anyone being mocked or scapegoated at all in that one.
It is the right link from a quick search, no
@LnxBil was not mocking anyone, he is one of the decent ones on the forum. One could find other posts which are worse. You find a design flaw and you are using it wrong, you report a security issue and it is not meant to be exposed (i.e. your fault). Then some promises are given (we will not fix this code, we will not refactor it, we will rewrite it from scratch to abandon the original concept), then it takes forever, then it gets forgotten.
But to sum it up, I do not see PVE being focused on security, it ships more "insecure" than plain Debian out of the box even. You can open a topic about sudo, apparmor, etc, but in the end, it is concluded it adds complexity for no additional (other than perceived) benefit. I think the team is too small to focus on all those things. I do not think there's anyone really security-first-focused. One person had higher than average awareness, but the focus is on getting new features in. The core features. Proxmox is not in the infosec business.