Thanks for reminding me of noexec; I'm no Linux security expert by any means, so I was merely trying to figure out what's possible and what's not.

It looks like mounting /dev/shm with noexec is not that common, though, is it? See e.g.

https://unix.stackexchange.com/questions/670362/mounting-dev...

More generally, it regularly blows my mind how hard it is to harden a Linux installation, and how many pitfalls and caveats there are.