It should be a way to make system env vars (profile.d or simlar) as readonly so every users' shell had these set to empty values and unable to change them.
Yes; I'm aware, but for some environments writting a custom shell as the one for SDF would be an easier task. Or maybe a really restricted "ash" called "rash" -because it is- with maybe autocomplete and that's it. Hardcoded $PATH and the like.