Confusing information about installing `kicksecure-cli-host` or `kicksecure-xfce-host`

I’m going to install Kicksecure on a bare-metal Debian host.
This will be a clean install from scratch of Debian 12 > Kicksecure > Whonix
Kicksecure will only be used as host for Whonix (will not be the main driver for everyday life)

So I have a choice:

1. Install Debian XFCE + kicksecure-cli-host
2. Install Debian CLI (without DE) + kicksecure-xfce-host
3. Install Debian XFCE + kicksecure-xfce-host

Can anyone answer if there are any significant differences in these scenarios?

I’m asking because it says here about CLI version: “This package provides better kernel hardening, improved entropy, and other security features”

Does this mean that version of scenario 1 above (Debian XFCE + kicksecure-cli-host) is the most secure?
Is kicksecure-cli-host more secure than kicksecure-xfce-host?

This is best if you want Xfce. No potential extra packages from Debian Xfce.

Xfce has GUI packages.

check

apt-cache pkg-name

Replace pkg-name with the name of the packages of interest to you.

check kicksecure-meta-packages (find on search engines) file:
debian/control

Thank you for the clarification, but this statement is still unclear to me:

CLI version: “This package provides better kernel hardening, improved entropy, and other security features”

Does this mean that kicksecure-xfce-host does not include this “better kernel hardening, improved entropy, and other security features” ?

Too much too explain. Too much nuance.

User documentation is sufficient. No “extras” needed.

Does this mean that kicksecure-xfce-host does not include this “better kernel hardening, improved entropy, and other security features” ?

kicksecure-xfce-host Depends: on kicksecure-cli-host so you get
that automatically.

Thank you Patrick! That’s exactly what I meant.
Perhaps my poor English is to blame.