Install from unknown sources and adb enabled by default
Replicant allows by default the installation of apps from unknown sources. As F-Droid nowadays works perfectly without this setting enabled, there is IMHO no reason to keep it enabled.
Having adb enabled by default might be a nice thing for developing and for advanced tasks, but it also adds a big attack vector. There are at the moment alone two open security bugs related to adb on this issue tracker and there might be more yet unpatched. People who need adb will very likely know how to enable it.