All client security products are making tradeoffs between keeping the user safe and requiring them to read and understand configuration settings in their security products. The options recommended here fall into either the "this will break some legitimate stuff" bucket or the "this potentially uploads a lot of user data to the cloud". I agree with them being off by default; if you understand and can handle it, you can turn them on. If gpedit is scary, you should leave them alone.