I’m not Mr. Chromebox, but I do work with PureOS so I thought I would jump in regarding firewall and Opensnitch.
Opensnitch is an application level firewall - that is to say it reviews the network traffic from inside the application. We’ve tested Opensnitch in PureOS and it works well but it is not yet in our repos due to newer versions of software dependencies.
There are other firewalls commonly used on PureOS like nftables which use the kernel network filtering mechanisms. People often use the UFW package (Uncomplicated FireWall), which has good documentation.
The use of SELinux does add another significant layer of security. It is complex to set up however so it’s wise for you to review the documentation, understand what is happening, and then set it up for your needs yourself.
Regarding TPM I’ll leave that to Mr. Chromebox to answer but it stands for “Trusted Platform Module” and is meant to be a secure physical place to store security related keys and secrets.