Enforcing execution of only signed ELF binaries would also prevent the user from downloading and executing arbitrary ELF binaries by attackers (for example sent through e-mail and accidentally executed). It would help to break exploit chains that deploy an ELF binary through drive-by download and then execute it. Is that realistic at all or that wouldn’t work against the usual remote code execution bugs?
Maybe apparmor-profile-everything + noexec would have the same effect?
While easily enabling noexec was recently implemented, I don’t think we can enable that anytime soon by default due to at time of writing non-implemented “Tor Browser vs NOEXEC - Where should the Tor Browser folder be placed?”.