Basically when using a custom tuned profile like this

[main]
include=virtual-guest

[variables]
original_cmdline=
cme_cmdline=selinux=1  ipv6.disable=1 nosmt=force


[bootloader]
cmdline=${original_cmdline} ${cme_cmdline}

The customer reports: though mitigations=off is taken out. next boot picks up mitigations=off

The belief here is that tuned is not reconciling "current kargs" vs "desired kargs" appropriately here.

That said, this is quite tricky to do because it requires tuned to track its own current/desired state of kargs. With bootc now we have /usr/lib/bootc/kargs.d (ref https://docs.fedoraproject.org/en-US/bootc/kernel-args/ ) but that only applies at image build time today. We may want to also add `/etc/bootc/kargs.d` that can support machine-local kargs.
Then tuned could just drop in /etc/boot/kargs.d/tuned.conf with its desired state, and bootc would be responsible for reconciling that across upgrades.