Security should be up to each user. Most security is just a headache for the majority of users to protect a few careless users. If you want security, just turn it on. If you don't need it then don't turn it on.

• default: store private keys in local storage in clear text. This means malicious javascript on a different website could potentially read those keys. It's not supposed to be possible, also with careful browsing you should not visit malicious websites. The default is to assume everyone browses carefully.
• "protect with password" means your private key will be stored in your browser protected from cross-script attacks by a password you type each time you use the key. Cross script attacks are performed by malicious websites or poorly designed websites into which malicious javascript has been injected. They need a browser flaw to function.
• Use a Hardware Token means that your private key is stored inside a FIDO dongle (or recreated internally if the dongle has no storage). FIDO is normally used as a "second factor" meaning you log in to a central authority, then that central authority (website) confirms your identity by having you insert and touch your FIDO dongle when prompted. In an SMF there is no central authority, so the FIDO dongle is the first and only factor. Don't lose it because you will lose that private key and the identity(s) associated with it. Newer keys and Windows appear to use a PIN to protect them from unauthorized use so theft and unauthorized use is precluded.
• End-to-End EncryptionThe E2EE key should be encrypted and that is the default. However it is not required. Currently hardware decryption is not supported since FIDO only supports signing.