login.conf: the default, don't think there's any reason to change it on a non-shared machine.
kern.maxfiles being bumped is necessary to run large applications (Firefox), NetBSD 10 will come with a much increased default though. kern.ipc.shm_use_phys may or may not be helpful. security.models.extensions.* determine whether some commands (schedctl, mount) work as non-root. hw.audio0.multiuser is necessary to run some daemons that play audio as a different user (musicpd).