We've been using PaX/Grsecurity on Debian( as server) and Linux Mint( as Desktop) for a while. It's working perfect fine until now. You can also tweak the reproducible builds as well:
We don't have such leap of faith in KSPP due to there are several exploitable bugs( CVE-2017-0358, CVE-2016-1583, CVE-2016-0728, CVE-2017-6074, CVE-2017-7184, etc), which can be turned to "massive" exploitations in past couple of months. And it's just the tip of the iceberg in past 16 years:
There are tons of features from PaX/Grsecurity, e.g: PAGEEXEC/SEGEXEC/ASLR/KERNEXEC/UDEREF/MPROTECT/RAP/etc. None of them are created by KSPP even though some vendors integrated some of features( weakened usually) into hardware in recent years.
PDF: https://grsecurity.net/10_years_of_linux_security.pdf
PPTX: https://grsecurity.net/10_years_of_linux_security.pptx