I think os-relesase describes the operating system, not policies.
You are right. Perhaps machine-info would be a better fit than os-release.
To what extent a machine is locked down is a policy choice. There are already loads of tools available to manage policy so this really doesn't belong here and if you want to ensure that your fleet of machines are locked down through something like PREFER_HARDENED_CONFIG=1, you're going to need tools to manage *that* anyway. Then why not use the same tool(s) to simply manage the machines?
It's 2022 - nobody should be doing this by hand.
