• CONFIG_SIG_* are WIP and tied to secure boot
• CONFIG_GCC_PLUGIN* need work because plugins need to be shipped in a binary package (maybe linux-kbuild or a new package) and out-of-tree modules need to be built with the same version the plugins were built with, which can be hard to track in stable and unstable
• CONFIG_DEBUG_* could maybe be enabled, not sure yet of the impact
• CONFIG_SLUB_DEBUG_ON is not a good idea, rather use slub_debug=P on command line (see https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#kernel_command_line_options)
• CONFIG_PROC_KCORE: not sure it's really more useful than dangerous these days
• Some features marked as =m might be dangerous in some cases but we can't really disable them in a generic distribution like Debian; preventing autoloading is already nice
• Other features marked as =y: same thing, not sure we can disable them on Debian

Actually CONFIG_SIG is set in debian/rules.gen following the signed-code setting in [build] section of the arch defines. signed-code is enabled in 4.17 (we use SHA256, not SHA512 but it's not really relevant I think).