That sounds great although having to login from a virtual console every time a user wants to run a command as root sounds cumbersome.
For a default configuration we could restrict root so only the user user can run su and sudo and root can only be logged in via something like tty1. This way, there won’t be much of a usability decrease while also having protection from any user gaining root via su or sudo.