Why not just do everything in VMs or containers?
The OP was on about running a desktop environment which I agree; isn't really something you'd want to run on a production NAS. But two things which can't really be done in VMs or containers (and are required for at least my use cases):
UFW (or another firewall) & Netdata.
The latter of course can be run in a container, but you don't get nearly the same about of stats/visibility. But not a huge problem.
The former though is one, and has been brought up on the forum a few times before for CORE. I think people sometimes confuse a host software firewall with a full blown router like pfsense.
Either way, the idea to have a FW configurable through the UI was shot down (sometimes pedantically).
In this day and age, especially with the ongoing move to ipv6, the chances someone will need a software FW on the host is significantly increased. As I mentioned, my SCALE box is on a dedicated host in OVH. It's impossible to lock down such a server without a SW firewall as well (as while OVH has a "firewall" it doesn't block connections on their internal network so any OVH server/VPS can hit your box even if you set their FW to block all traffic. Completely crazy!). I use UFW for this due to ease of use and being the upstream "preferred" way.
Initially I worked around it by running a script after every nightly update I ran to reinstall it, but now I just build my own update tarball with UFW & Netdata built in.
If there was a "proper" way to apply changes on startup (like there is in CORE) then that would of course be preferred but I couldn't seem to find the equivalent in CORE (yet). I hope in time as the UI gains feature parity that that'll exist again :).
EDIT: found what I need in Data Protection > Init/Shutdown script