I still believe turning off sysctl(2) as scheduled in Documentation/feature-removal-schedule.txt at the end of next year is a good idea. Code that no-one cares about bit-rots in horrible ways.
A few comments.
arc4random prefers to use /dev/urandom and tries that first so even
inside a nicely setup chroot it will work.
sysctl was absolutely riddled with exploitable code, when I started working on it, and a hole was closed just a few weeks ago. It just happens that no one not even those who exploit kernel issues for the fame looked at the implementation details of sysctl.
I will agree that the sysctl format of only exporting simple integer and string values is much harder to exploit, and as such is a good idea.
As for the file descriptors they are not exposed to other users. The permissions on /proc/<pid>/fd/ are limited. Except for one esoteric corner case you can't do anything more with the file descriptors in proc than you could by attaching a debugger. Using file descriptors as ad hoc "capability" tokens is not broken in any way that I am aware of.