There's another feature in there as well: PR_SET_NO_NEW_PRIVS. It's a requirement for enabling seccomp mode 2, but it can be useful on its own.
For example, pam_nnp (temporarily at http://web.mit.edu/luto/www/linux/nnp/) will let you prevent certain users from using setuid programs. Comments welcome. I'll try to get this into upstream pam once the feature hits mainline.