thoughts about linux user isolation

/usr/bin/ contains too much all the stuff isolated user can mess with by default

should we apply whitelist to all system binaries to achive good isolation?

isolated user should not be able to mess with stuff that control overal system. eg power control:

$ ls -la /usr/bin/ | grep shutdown

lrwxrwxrwx 1 root root shutdown -> systemctl