I experienced a similar sounding issue, but was able to decipher the blocked emerge output from portage to find that app-crypt/tpm2-tss-engine was blocking the whole system from getting onto openssl-3. Once I dropped tpm2-tss-engine, things went forward swimmingly. No other unmasking/masking of anything was needed.
Ooooh yes.. Fond memories of attending a few events that were hosted by Hurricane Electric on folding tables in some conference room annex of their data center. And the marvel of finally having an Ethernet connection to the Internet instead of dialup! I'm not sure I balanced "game time" with "download-all-the-things time" well enough.
It may be worth checking the fzf plugin you're using with Fish. There is a more recent+maintained effort[0] that brings an even more delightful feature set, particularly with Ctrl+R/_fzf_search_history
When browser managed credentials are synchronized across devices, an attacker may be able to move laterally into an enterprise by compromising the personally managed device or personally managed account (since it may be without 2FA, or may use a shared/guessable/weak password thats shared across dozens of compromised websites, or be far behind on app/OS patches, etc..)
Really depends on the role of the system. Will it be multi-user/single-user? Hosting containers? Hosting virtual machines? Running as a virtual machine? Doing network magic? Each of these classifications will take hardening in different directions.
Then can also see if the distro is doing things to harden the binaries (relro, nx, canaries, aslr, pie, etc) ; https://www.trapkit.de/tools/checksec/
Also! you may be surprised to find which distros are comfortable with allowing unprivileged user namespaces (kernel.unprivileged_userns_clone=1)
