Support

The four headers that the plugin says it provides default for, Admin Tools' .htaccess / NginX Configuration / web.config Maker is better at managing them. It's the same headers, it's just that using a server configuration file applies them on all requests, not just those going through Joomla. This is especially important for HSTS and CORS headers.

Regarding the other headers, I maintain that it's best that you set them up manually, in your server configuration file (.htaccess, web.config or NginX's configuration) than using a plugin for two reasons:

1. Using a plugin only applies them on requests going through Joomla but not any arbitrary .php scripts, static HTML pages or CSS, JS and other files when accessed directly over the web. This includes SVG files which can be problematic for security (note that Admin Tools provides an option to neuter them).
2. Defining, for example, which HTML5 capabilities are required on your site necessitates going through your site with a fine comb and mapping the URLs where each capability is used. You then need to construct a header with rules corresponding to the URLs which need those capabilities. Similar considerations apply for all other headers the plugin mentions. At this point constructing the header is the easiest part. The plugin doesn't help you with anything.

For Content Security Policy (CSP) my recommendation is to not mess with it on Joomla 3, it will break stuff. Joomla 4 includes the plugin you mentioned in the core (in fact, the plugin is an adaptation of the same author's work in the Joomla 4 core) with a critical difference. Joomla 4 provides the necessary methods to sign inline JavaScript and CSS either with a per-page token or a cryptographic signature (the latter is still broken as of Joomla 4 beta 4), allowing you to set a very restrictive CSP. Without this Joomla 4 feature any CSP you choose that lets your site work won't make much of a difference with regards to security and any CSP which would increase security would break your site. So it's best to not touch it with Joomla 3.

So, based on all of the above it's best to use Admin Tools because the headers that make sense are best handled at the .htaccess level and they are either already handled by Admin Tools or there is no practical benefit to using a plugin to manage them as opposed to managing them manually.