Our "killer app" thus far, in terms of useful things that actually require root, is PicCap [1] - which enables low-latency framebuffer capture for DIY Ambilight systems.
In the just-for-fun department, you can replace the default screensaver animation with a bouncing DVD logo. [2]
Some telemetry is blocked unconditionally during startup, although it is incomplete [1] (Perhaps I was a bit over-optimistic when I said a pihole was not required).
Custom CA certs are possible, which people on older models have been using to work around issues stemming from the X3 cert expiry [2].
Devel is a lot better. It has a wizard to get you started that is excellent and loads of other stuff.
Disable the dynamic DNS options for DHCP on the DNS resolver to avoid problems with Python modules in the DNS resolver (unbound).
Untick the box for leaving config behind and uninstall pfb not devel. Install pfb devel.
Go to Firewall -> pfblockerng-devel and you will be presented with a wizard. Take the defaults but do indicate your WANS and LANS when they are asked for. You'll get a great basic PRI1 ruleset setup and DNS blocking too, out of the box. I recommend adding "TOR/Tor Project Bulk Exit List" - block inbound on WAN as soon as you work out how to do it.
There is a vast amount of built in rule set links. Give them a go.
If you want easy then go for block on inbound and/or outbound on all rules but if you need some flexibility then go for aliases and make your own rules.
Nice, I’d love to install software such as rpiplay [0] to mirror my iOS device, also would be nice to maybe gain some kind of low-latency wireless Linux-compatible screen share server.
I also want to install my own CA to the TV but the obvious location is read-only.