> configuration smeared across several possible paths
This does make things confusing, and while it may be inconvenient, it is not a security risk.
I use firejail with most apps and they do not have access to any other files than their own (most of the time).
FWIW, I am completely fine with ~/.ssh and I hope it keeps being ~/.ssh. I prefer SSH-related stuff to be in one place. Same with ~/.gnupg. I do not want to miss anything when I am making backups.
Let's say that there are just two possible paths for an authorized_keys file (P1 and P2).
The choices are:
1. Check P1, if it doesn't exist use P2
2. Check P2, if it doesn't exist use P1
3. Merge the contents of P1 and P2 somehow
You need to remove authorization for a key (or certificate); you confirm it has been removed from P1. In both cases #2 and #3 above, you may have failed to actually remove authorization!
Obviously if there are more than 2 possible paths, things get even worse. Also, if you follow XDG to the letter (where things can be redirected by environment variables), there are even more confounding issues, because the environment that sshd sees could be different from the environment that the user sees.
Mmm...not exactly. When security is difficult, the default fix is to turn it off, workaround, etc. Security should be relatively simple.
Increasing the difficulty of correctly configuring additional directories increases the chance something "bad" may happen. As a theorical example, for ssh say that config is not protected the same way keys are (on the file system or by policy). Pair this with some option that, when configured, exposes the contents of the keys.
Increasing the complexity required to secure something makes it inherently less secure.
This does make things confusing, and while it may be inconvenient, it is not a security risk.
I use firejail with most apps and they do not have access to any other files than their own (most of the time).
FWIW, I am completely fine with ~/.ssh and I hope it keeps being ~/.ssh. I prefer SSH-related stuff to be in one place. Same with ~/.gnupg. I do not want to miss anything when I am making backups.