In my (non-expert) opinion, there are a few reasons

1. NPM is more popular than those other services by an order of magnitude, especially among new developer and startups.
2. NPM allows for code to be executed while you install the package which is different from maven or nuget and allows for easy exploitation paths

This works until you scale the team beyond 1 person and someone else needs to decipher the 30 line awk | sed | xargs monstrosity you created. Give me a real programming language any day.

Mods of communities can already see votes in communities they moderate. Admins of instances can already see votes on all content.

It’s perfectly normal for your computer to have daemons.

You should definitely set up a DMARC record to prevent other people from using your email domain to send spam. If you don’t have DMARC configured, other email servers will give any senders the benefit of the doubt and accept mail that claims to be from your domain.

You can just set the DMARC record to reject 100% of unverified mail and call it a day. Since you aren’t sending anything it won’t affect you.

The ideal solution is to have one identity provider and then use Single Sign-On (SSO) to authenticate your users to all of their other apps. All of the big identity providers (Microsoft, Google, Okta, etc) support security keys.

I recognize that it might not be feasible to use SSO for all of your apps as a small business; a lot of SaaS platforms unfortunately charge extra for SSO. That being said my advice would be use SSO whenever possible for your apps and include SSO availability in your decision-making process for purchasing new software.

For those apps that do not support SSO, my advice would be to either compensate employees for using their personal devices for work or give them corporate devices that are only used for work things.