This is heavily influenced by choice of DE. Some of them really do have all their options well laid out in the system settings, but others rely entirely on config files. I have little experience with GNOME, but with KDE I was able to customize my experience very heavily using only the system settings by just playing around in the GUI. Meanwhile, on another machine running Hyprland, I have had to read a lot of documentation in order to customize it, but the available options are relatively more powerful than the KDE setup.
Neither of these methods are more right than the other, but one is absolutely more new-user friendly, assuming they do not want to simply accept the defaults.
When the bad actor in question in a military or government organization, one of the realities of the modern world is that they will use your code whether you like it or not. They aren’t going to stop because you use a license that prohibits them using it, if they deem it something that is useful enough. They’ll just ignore your complaints and hide any wrongdoing long enough for you to go away.
If you publish FOSS, you are relinquishing a lot of control of how that software is used. A license that says “don’t use this in bombs” only works if all parties are acting in good faith, and I don’t think we can rely on millitaries playing nice if there’s an advantage to be had.