Removing security options --userns and --privileged from docker cli

Hello,

I’ve setup user namespaces in the docker daemon to isolate containers from the host.

Unfortunately, users who can run docker cli are still able to start containers with --userns=host to expose the host.

I’d like to disallow this behavior.

Is removing the --userns and --privileged options from docker-ce/master/components/cli/cli/command/container/opts.go enough to accomplish what I want?

Any other suggestions to accomplish my goal of unconditionally enforcing the defined uid/gid mappings for containers?