While my TinfoilMod can remove this requirement for advanced users, the default behavior and configuration of hbl 2.2 is to be considered harmful for homebrew development. It heavily restricts the heap size for Applet homebrew, with no possibility of opt-in or opt-out.
I do not believe the current major toolkit developers for the Switch homebrew community have their community's best intentions in mind. While I would appraise them for building a handful of the tooling, it clearly shows that there is no intention to do things properly (libnx: apm bug, HID issue, no support for shared libraries, unstable API, ...) or listen to the developers themselves (see the devkitPro archival case, for an example of this point). Their efforts are commendable, but the results are often poor, disappointing and deceiving.
I can only partially agree on your point where you claim that "There's no "standards-compliant with the other two CFWs"". In order for homebrew to be generally as compatible as possible, ReSwitched and Switchbrew had decided on a common ABI for NRO-based homebrew, for which
you can find more information about here. However, it has been broken often times; usually for the sake of compatibility. Nowadays, most homebrew will require a firmware modification or custom firmware to work; which defeats the entire purpose of NRO-based homebrew, in my opinion; unless modified. Some of the workarounds for these issues could have been implemented in nx-hbloader itself, but were instead implemented in Atmosphere. "New changes by the front-runner are always going to be out of "standards"" does not mean others should follow or that they should just be accepted. This kind of behavior could mean a lot of trouble in the future.
Finally, I can attest that there is no issue with security or privacy with DZ/Tinfoil, as I've reverse-engineered it. Would you wish to confirm this and make further claims about it, feel free to reverse it yourself. I do not believe that closed source software is an issue by itself.