For improved security it would be nice to have an option to mount volumes in the container with noexec flag, similar to the already supported read-only mounts. With noexec the application could not create a new executable by setting the executable permission on a file under its control in a volume. In turn this allows to restrict the application in the container to run only few selected executables.

AFAICS the only way to do it currently is to bind-mount a host directory with noexec option and then pass it to the container with -v flag. However this requires to use non-portable host directories.