FWIW, we are currently using these 5 hardened runtime entitlements on the JRE and top-level bundle, because they're required for Java 8:
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-executable-page-protection
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.cs.disable-library-validation
We're also using this 1 entitlement on all the command line utils, because the gcc toolchain needs it. The linker appears to load plugins by mmap(), which hardened runtime blocks unless this entitlement is used.
com.apple.security.cs.disable-library-validation
Some of the command line utils probably don't need this. Maybe in the distant future I'll figure out which ones truly need it, but for now the simplest thing was to just sign all the command line stuff the same way. But perhaps a future version of the toolchain will switch from mmap() to something more MacOS specific that will avoid the need for this entitlement?
Again, my focus is only to get everything working smoothly on Catalina. Extra dev time beyond the minimum MacOS requirements is going into improving the USB code and libs.