Here it must be clearly defined who is allowed to control what and to what extent with kubectl. This is done with RBAC, but it doesn't hurt to prevent certain commands like kubectl "verb" sa, kubectl "verb" clusterroles and roles including bindings, kubectl config view, kubectl config "verb" context, etc. Generally to disable, regardless of RBAC.
Please feel free to contact us for any question that is not answered yet.
We are looking forward to get in contact with you!