Moving this to the LSM brings it one step closer to being a feature of SELinux policy (which is basically what this should have been from the start). "They who misunderstand SELinux are destined to reinvent it badly", I guess...

Those who misunderstand that complex software is too complex so it gets reinvented badly are bound to reinvent complex software so complex it is bound to be reinvented badly.

I dunno exactly what you're trying to say here but, while SELinux isn't trivial, it only took two weeks or so to get my head around (Bind, SendMail, OpenSSL, systemd I would all describe as a similar level of complexity). Compared to things that we talk about on this website - OpenGL and Vulkan that took me a month or so to get a cube to display - it's fairly straight forward.

In any case, SELinux is a thing that sits on the LSM and provides policy files to configure system-wide mandatory security features (basically blanket and per-process sandboxes that you can't sudo or chmod to get around). It works by default out of the box on many distros. Adding these new "lockdown settings" as an additional policy that could just be enabled by default seems like a nice idea. Other LSM security systems (GRSecurity, etc) presumably can now also switch this on by default if they think want, without having to recompile the kernel...