Besides being public or unlisted, toots can now be private, which means only visible to your followers. This feature can be used without locking your account, but is best used together with it, since someone could follow you just to see your posts otherwise. Most importantly, the best distinction from protected accounts on Twitter is that you can still post individually public toots while being locked.
Profiles display all toots that the viewer is allowed to see, i.e. public profiles seen by anonymous visitors and search engines contain only public and unlisted toots, while if you or your followers look at it, they contain all of them.
(Federation doesn't work well with this yet. From a remote instance's point of view, locked and unlocked accounts cannot be distinguished, and there's no protocol for sending a federated follow request, yet. Private toots do not federate, but public ones still do, so the effect is that your remote followers, on their end, will only see your public toots. On your end, they won't show up as followers (similarly, blocked users are now removed from your followers list, even if access control to your public feed cannot be enforced).)
When added to the iOS homescreen, the website should now allow you to login without opening Safari (thus going into an infinite cycle where you can't actually login on the homescreen).
There is now a fully functional OEmbed provider API for toots, i.e. you can embed a toot on another website just like you can embed a tweet or a SoundCloud player.
Generally, public pages design has been improved a lot, making it look a lot closer to the logged-in UI, but light instead of dark.
Merry Christmas to everyone and thank you for supporting this project!