Seems like the best approach would be to lock it down by default, and make it accessible in a diagnostic boot mode, something between console only rescue mode and secured multiuser mode. I might play around with a runlevel to see how feasible a package or script to deploy such a mode would be.

see man 5 proc

For a moment imagine that there are people out there that are not running just single user systems and rethink how all that you just wrote are completely void.

For a moment imagine that those people should absolutely not be the default.

There are "potentially" more, which I don't care about. If there were more they'd give more examples.

Linux is probably on a gazillion to one ratio between servers and single user desktops.

This is a good point. Security vs. usability is a constant battle. If a distro does turn on CONFIG_SECURITY_DMESG_RESTRICT, users could restore the previous functionality via the sysctl.

For completeness on the VirtualBox issue, it was fixed in the April 2017 CPU, and issued CVE-2017-3513. As for other examples, I don't have any off the top of my head. Previous work such as the "kptr_restrict for hiding kernel pointers" patch shows that this has been something people have been thinking about for a while. If one wished to find more examples, research on what prompted that patch would probably lead to more instances of leaked addresses. However, regardless of lack of previous examples, it is always possible that an address leak could be added to the kernel or an out of tree module unintentionally. In which case, an author leaking addresses may avoid using %pK, and therefore still leak. Having CONFIG_SECURITY_DMESG_RESTRICT set thus prevents usage regardless of the way it was written to the kernel logs.

To address https://xkcd.com/1200/. From a kernel hardening perspective, anything
we can do to make it harder for regular users to attack kernel space, that's
good, because even if a service is running as "nobody" and it gets exploited,
the first thing the attacker is going to do is try to elevate privileges to
then attack the user account with email, Facebook, etc. access. One way to do
that is a kernel exploit, which they would have to bypass KALSR to do, and if
they have a leaked address from dmesg (because dmesg_restrict is not set) then
they can use a bug they would have been otherwise unable to use to do that.
Attackers needs a KALSR info leak in order to run the code execution portion of
their exploit, and while dmesg is not the only way they could get that info
leak, it is one possibility, and therefore the secure default is to disable
non-root users access to it.

You get what you pay for. Or more precisely, ones who pay through paying wages to hired devs, get more often what they want. "Those people" are more often backed by corporate money. Which is what most affects development.

So wisely expect Linux future developments in ever-increasing amounts getting dictated by corporate interests. You, simple home user, don't matter, if you get something then because some corporates invest money into development of workstations too. You have you free ride, if you dislike the changes, feel free to switch to alternative OS'es.

On a softer tone. Similar limitations are optional on several BSD's too (more precisely, limiting dmesg to super user and not allowing unprivileged user see any other processes than his/her own). So, it's not just some pointless paranoia by some Linux dev. Poster above brought out very good point about one possible attack vector using dmesg on user level.

joining the security by obscurity bandwagon? hold my beer, done: https://youtu.be/HD6D9gNclYI?t=270