/proc still read-only, the article uses "mounts", a generic mechanism available for any area of the filesystem. This is allowed because mounting logic is living "above" filesystem-specific logic, and there is no specific exception for /proc filesystem.

One can imagine having a special code which checks for mounts for /proc, but this turns ugly pretty quick. Disallow all mounts on /proc? Not going to work, the PC I am typing the comment on has a mount at /proc/sys/fs/binfmt_misc. Maybe just disallow bind mounts only? This breaks "create chroot/container and bind-mount host fs" use case, plus attacker can mount tmpfs anyway.

You have to design some sort of rules for where mounting is allowed and where not, and then ensure they are correct and up-to-date. This is a non-trivial amount of work -- and for what? A method which is super obvious to detect (mount table entries!) and can only fool the beginner defenders?

Instead, Linux provides generic "LSM" hook mechanism that can restrict any operations, including mounts. If someone thinks such mount restrictions are a good idea, they are welcome to write kmod (kernel module) to do so, or configure one of the existing ones to reject those operations. But I expect that by the time people get knowledgeable enough to write kmods, they are knowledgeable enough to come up with a better protection against rogue root user.