So Linux can prevent an agent from opening /etc/passwd.
Linux cannot stop an agent from calling:
POST /wire-transfer amount=5,000,000
You'd do that with a container and a layer 7 egress proxy rule e.g. mitmproxy.
Sure it's work to build such things, but building restraints into the app feels more reliable than playing whack-a-mole with scanner results.
Operating systems can probably do better to meet this need (e.g. capability based ones like fuchsia) but even as is their rules just feel so much more binding.
Any LSM can stop that POST. SELinux, AppArmor, Tomoyo, etc. They are built-in to the kernel. You just need to know what you are doing to use them.