It can be done for GUI environments also. Nothing really requires setuid. We can replace them with capabilities.
The admin could whitelist their binaries.
Unlikely. We could cover /root since that’s a bit more likely to contain suid binaries and it wouldn’t increase scan time much since most users would be storing their files in an unprivileged user’s home directory.
That would break a lot of things. For example, if I mounted a drive containing another Linux system to /mnt in order to debug an issue, permission hardener would kill all suid binaries in it and become extremely slow. A better solution would be mounting those filesystems with the nosuid option since it’s much easier to revert (mount -o remount,suid /mnt vs. resetting all file permissions).