just use brace as a whole: it does that and way more: GitHub - divestedcg/Brace: Toolkit compatible with multiple Linux distros that allows for installation of handpicked applications, along with corresponding configs that have been tuned for reasonable privacy and security.
- combine it with firejail, fapolicyd, real-ucode, and my hardened_malloc package (which now supports buffer overflow checks)
- running brace-audit gives you the steps to do this all