I don't now what goes into the day-to-day maintenance at sdf.org, but they are able to provide public access to a NetBSD system without any major security breaches. The lore there is that before the switch from Linux to NetBSD security was a mess. Of course they made the change almost 20 years ago, so things probably are different today.
sdf.org is interesting because it is one of the few services running a multi-user capable OS - and using it that way. I donated to them years ago, primarily for the complementary email address, and in setting that up I was poking around in the shell - that was the first I'd seen 'who' return a list active sessions that weren't me.