I agree with the importance of applying "security updates" on a regular basis. Given the recent problems at Equifax clearly underlines that importance.

What I disagree with is imposition of "mandatory security updates" because that begs the question, "Who is the rightful owner of the computer hardware and operator of the OS?"

So long as Debian's approach is "ask us" not "force us", as well as make this "feature" a removeable package, then I am "ok" with this idea, but I would like to learn more about how this "feature" behaves when it is set to "automatic".

Think about this problem this way. You run Debian OS on a custom-built firewall where the "security updates feature" is set to automatic. At some point the OS checks for updates, finds them, and then determines the system needs to reboot because 1 or more updates encounters a library or application that is in use that needs to be updated. Should the OS automatically reboot and disrupt traffic through the firewall? Can you imagine what might happen in an environment that mandates "change control" and "change control notifications" for IT?

Anyone who don't want the automatic updates can just remove unattended-upgrades. Those who don't know how to do that probably should keep it installed.

Is wayland gonna be default?

This depends on what DE you install. So perhaps your question should be answered in a per-DE basis.

For instance, it already is for GNOME (in testing I mean). But it doesn't mean much, as you simply choose whatever session you want when you login, then this option is remembered.

You're seriously overreacting, so I'll have to ask you to calm your tits because this is Debian.

As clearly explained in the article, this is handled by a package called unattended-upgrades.
It existed since a while ago, it has its own wiki article https://wiki.debian.org/UnattendedUpgrades and its upstream source repo https://github.com/mvo5/unattended-upgrades

It has extensive configuration options if you see the README in the source repo (or the CLI manual).

Other distros like say OpenSUSE also have a similar feature (although not enabled by default), and it makes sense.

In default config autoreboot-after-upgrade is disabled, again this is Debian, not Win10.

It has a config option to have it send an email when it finds updates.

Plus, installation images for more exotic architectures:

> https://cdimage.debian.org/cdimage/ports/

Despite the "9.0" in the filename, these images actually install Debian sid/buster.

I could care less about comments that come from sensitive snowflakes like yourself who are so easily triggered by the comments of others.

Welcome to my "Phoronix block list". You are welcome to do the same.

Rebooting a firewall would be decent, if there's almost nothing running (other than the firewalling software) and what's running need be rebooted - it's not like a 20 second disruption is a huge deal. Decent ISP router/modem/VoIP/coffee grinder boxes do this.
Alternatively a daemon would be restarted. There's a real security risk where a daemon is updated but the former version still is running and for monthes.

Perhaps when a security fix is marked "critical" would you agree with an auto-reboot or restart, depending on the use of the machine and what you think about it.