Only thing I can comment on is that 99% of all E-Mails you will get are unencrypted and can be read by your relay. (There are few e2e encrypted emails being send.)

So either trust them or don’t use a relay.

Step 1: Get write access to the project you dislike.

From the mailing list I’m reading that kernel maintainers have heard a few companies looking for something like this, so yes?

Edit:

However, to be clear, the Hornet LSM proposed here seems very reasonable to me and I would have no conceptual objections to merging it upstream. Based on off-list discussions I believe there is a lot of demand for something like this, and I believe many people will be happy to have BPF signature verification in-tree.

Preventing kernel modifications to expand upon the work done for kernel lockdown. Add additional layers to system security.

Kernel_lockdown:

prevent both direct and indirect access to a running kernel image, attempting to protect against unauthorized modification of the kernel image and to prevent access to security and cryptographic data located in kernel memory, […]

I recommend switching to NixOS only after you have a basic but broad understanding of Linux, many things in NixOS are more complicated than in “normal” Linux, which is needed to archive what it does, but is overwhelming for someone who doesn’t know the what and why and where that using Linux brings.

Instead of using systemd user services you can just use a normal systemd service and tell it to run the command as a specific user, put something like this in a file at /etc/systemd/system/<unit Name>.service

[Unit]
Description=Run service as user test
After=network.target

[Service]
Type=simple
User=test
Group=test
ExecStart=/opt/teamspoke

[Install]
WantedBy=default.target

Then set it to start at boot

systemctl enable <unit Name>.service

And to start it now

systemctl start <unit Name>.service