Enable AppArmor in Kernel Build
AppArmor is a system for MAC (Mandatory Access Control) which is effective at reducing security risks associated with application exploits. It is somewhat nicer to use than SELinux and it is reasonably simple for a user to adapt or generate a profile for most if not all applications. Since the Pinebook Pro gets attention from people who just want an inexpensive portable linux system in addition to hardware hackers and developers I believe that the strong security provided would be an attractive feature with marginal, if any, performance impact.
The userspace tools are already a part of Manjaro here.
According to the Arch Wiki the applicable flags are:
CONFIG_SECURITY_APPARMOR=y CONFIG_AUDIT=y CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1 CONFIG_DEFAULT_SECURITY_APPARMOR=y
The initial two being the minimum and the latter two setting AppArmor as the default security module without the user having to set kernel parameters.