They should do it earlier. My organization has required to disable sha-1 in sshd_config for quite a few years, and I have to edit cryptopolicies to achieve this.
(FUTURE doesn't work as well because it breaks a number of websites)

Update; oh Gee could they drop all SHA-1 from their default policies? It's still there in MACs.

thank you

I hope that also means they'll get on to encrypting /boot with Silverblue installs. An unlocked bootloader is a very large hole in the security of the system, especially laptops and other portable systems.

Don't know about y'all, but I'd prefer unlocking my bootloader that will then unlock my root and home drives (the system) either via password pass-through or keyfiles over having an unlocked bootloader and having to unlock the system manually. I can create my own units and whatnot for my own drives, but I'd like the core OS, we'll call that all the drives setup in Anaconda, to have some secure automagic by default outside of the very initial password prompt...3+ password prompts every boot gets old fast so a desktop OS needs a blend of security and automagic convenience.