ASLR for userspace is supported.

KASLR (kernel) was added with 5.0.0. PASLR (physical) was added with 10.0.0.

Support for RelRo (read-only-relocations) was added with 17.0.0, binaries built for [17.0.0+] use this.

[S2] PAC is used for retaddrs on stack.

Support for --X was initially added with [19.0.0+], however it's only used on S2.

S2 sysmodules have --X .text, starting with [19.0.0].

Besides the CFI used by web-applets, S2 sysmodules use a version of CFI which validate vtable-ptrs (the address of the ptr, without accessing the data located there). PAC is not used with this. An undefined-instruction exception is triggered on CFI failure.