But then /usr/share needs to be mounted without noexec? Non-ideal? Or not matter since only root can write there?
Note: Tor Browser by upstream (The Tor Project) default mixes executable and user profile data folders into the same folder on the disk. It needs to be owned by a non-root user. Should the folder in /usr/share be owned by a non-root user?