- unprivileged process took action to prevent gaining a capability.
- exec'd suid sendmail.
- sendmail took action as root because it could not become someone else.

Which is a classic bug and replicated historically in cpu time, quota and
other similar "remove rights and then .." attacks.

I would like to trivially stop that entire class of exploit by making
execing a suid ( or equivalent ) executable impossible.

Fine the LSM modules can already build such policies or you can add a new
LSM for it - it doesn't need whacky one off extensions to prctl.

Of course you could also have an LSM which undoes restrictions on suid
apps instead. Thats an equally valid model, just don't load both at once
and don't assume you have the one true model.