I noticed that the HTTP headers objected to above are already in use in MIAB - just not everywhere. They are all present in /admin, but not /mail or /cloud. I’ve no idea why they would be wanted in one place but not another, but it renders the “some people might be adversely affected by them” argument moot - if it’s good enough for one place, it should be good enough for all - I can’t think of any particular reason to use lower security in some parts. Having gone to all that effort to support complex things like DNSSEC, it just seems really odd to ignore such low-hanging fruit.
FWIW, in terms of public acceptability, I recently had a PR accepted that added these same headers to the French president’s site (en-marche.fr). This isn’t exactly radical stuff.
I can understand if you don’t want to change things, and I’m quite happy to make my own modifications - but it would really help if they didn’t get trashed with every update, and the mechanism that’s supposed to keep such changes is (deliberately) undocumented and doesn’t appear to work anyway.