First up is SELinux (Security-Enhanced Linux), a set of kernel add-ons and user-space tools that can be used to limit user programs and system servers to the bare minimum of privileges they need to function. It's basically a lock-down mode that minimizes the potential damage a malicious program can cause. The site says this seems to be an optional mode for security conscious enterprise and government users.
Next they discovered support for "Always-on VPN", a setting to configure the phone to only send data while connected to a VPN, and not when connected over the regular Internet.
The third new security feature discovered by Android Police is "Premium SMS Confirmation", a feature to prevent malicious apps from sending texts to premium numbers and steal your money:
If you're having a hard time reading through the programming junk, the main message says " would like to send a text message to [number], which is a premium SMS short code. Sending a message to this destination will cause your mobile account to be billed for premium services. Do you want to allow this app to send the message?" It's a nice, clear message that will pop up whenever an app tries to send a text to a short code. You're then allowed three options, "Send message," "Don't send," and "Report malicious app."