Trusted Path Execution (TPE) prevents users from executing any binaries that are writable by any user other than root. This makes it far harder for unprivileged attackers to execute any of their own code.
There’s different ways this can be implemented. Grsecurity had a GRKERNSEC_TPE option and there is a kernel module that does this, somewhat similar to LKRG GitHub - cormander/tpe-lkm: Trusted Path Execution (TPE) Linux Kernel Module
I don’t really like the look of tpe-lkm though as it’s only been tested on really old kernels and it adds a bunch of other extra, unrelated and poorly implemented features (e.g. restricting /proc/kallsyms, restricting /proc/modules, restricting ptrace etc.). The only potentially useful parts of the extra features are already part of the vanilla kernel.
I can maybe work on porting GRKERNSEC_TPE if you want as that seems to be the best approach. There was some work on that already https://github.com/AndroidHardeningArchive/linux-hardened/pull/32/commits/5af947c0a4c43256188c85f4220af145cb5d3d99
A huge issue with TPE in general though is interpreters as they can bypass the restrictions so we’d need “interpreter lock” ⚓ T941 lock down interpreters / compilers (interpreter lock) (compiler lock)
Alternatively, see the shebang LSM to restrict interpreters.