Parts of this list are borderline ridiculous. Like, wow, did you know that
ed(1) can read files?
Seriously though, if you are running a machine in which you are deliberately putting people in a restricted shell, then you (hopefully) already know that you cannot just put them in a restricted shell in the normal operating environment, and have taken the steps to put them in their own
chroot(8) or something. Or better yet, if you really have such restrictions, you should write better policy to completely deny any and all access to those machines. Perhaps airgap the machine too, just to be safe.