I did run fwupdmgr security from a Fedora 39 Liveusb
Host Security ID: HSI:0! (v1.9.5)
HSI-1
✔ MEI key manifest: Valid
✔ Platform debugging: Disabled
✔ SPI lock: Enabled
✔ Supported CPU: Valid
✔ TPM empty PCRs: Valid
✔ TPM v2.0: Found
✔ UEFI bootservice variables: Locked
✔ UEFI platform key: Valid
✔ csme override: Locked
✔ csme v0:16.1.25.1865: Valid
✘ SPI BIOS region: Unlocked
✘ SPI write: Enabled
✘ csme manufacturing mode: Unlocked
HSI-2
✔ IOMMU: Enabled
✔ Intel BootGuard: Enabled
✔ Platform debugging: Locked
✘ Intel BootGuard ACM protected: Invalid
✘ Intel BootGuard OTP fuse: Invalid
✘ Intel BootGuard verified boot: Invalid
✘ TPM PCR0 reconstruction: Invalid
HSI-3
✔ Intel CET Enabled: Enabled
✔ Pre-boot DMA protection: Enabled
✘ Intel BootGuard error policy: Invalid
✘ Suspend-to-idle: Disabled
✘ Suspend-to-ram: Enabled
HSI-4
✔ Intel SMAP: Enabled
✘ Encrypted RAM: Not supported
Runtime Suffix -!
✔ Intel CET Active: Not supported
✔ Linux kernel: Untainted
✔ Linux swap: Encrypted
✔ fwupd plugins: Untainted
✘ Linux kernel lockdown: Disabled
✘ UEFI secure boot: Disabled
It seems I have a few tweaks to make to improve the security, per the output (trimmed, sorry :D)