Comment by Bender

If anyone finds it useful, these can be added in a startup script but dont put it in sysctl.conf or sysctl.d/ as it may eventually break OS updates. Someone will say these have never broken their OS update but what they do not realize is that they have jynxed themselves and murphies law is now active. These options may prevent some rootkits malicious or otherwise. Research these options and test them before running scissors.

    kernel.modules_disabled = 1
    kernel.kexec_load_disabled = 1

The options can be loaded last after the OS is entirely up and running using sysctl. The script that loads these options would have to be disabled and the OS rebooted prior to doing OS updates. Once these options are enabled they can not be disabled without a reboot.

If giving a video game sudo or doas or root access, research the game, its developers and publisher exhaustively and ask a magic 8 ball at least 3 times if the game developers can be trusted. Are they within your countries jurisdiction? As others eluded to, consider having a dedicated bare metal system for the games that are suspect. Keep a thumb drive around with the OS image, maybe even a few OS snapshots just in case the game performs dark magic on your system. Consider enabling auditd with custom rules to watch for writes within /boot, /etc, /lib and /usr at very least. Auditd has a built in module that can be enabled to send auditd messages to a remote syslog server. If a game is doing something sneaky or shady, name and shame them.