There doesn’t seem to be much available against local source DoS (equals misbehaving buggy applications). See constrained system resources program starter wrapper.
Are the defaults sane?
I don’t think there are any default restrictions in Debian at all.