Istio has a hardening guide that we've been working on: https://istio.io/latest/docs/ops/best-practices/security/

While not all of this applies to OSSM, much of it does and it would likely be helpful to let our users know what weaknesses/suggestions they should be aware of in order to deploy Istio in a secure way.