Kernel live patch, security updates for packages that canonical doesn't own/maintain, and access to certain configurations/options like fips