The administrative script console allows very broad access to Jenkins, and this has been a source of vulnerabilities in the past, e.g.
https://www.rapid7.com/db/modules/exploit/multi/http/jenkins_script_console
https://duckduckgo.com/?q=jenkins+script+console+java+execution&ia=web

My team never uses this feature, and we'd like to reduce our attack surface by disabling the console completely, preferably from the system-level Jenkins config (/etc/sysconfig/jenkins on Linux). Is there an existing undocumented option for that? If not, will it be possible to add such an option?

We do have mandatory auth and access control, but still would like to disable this feature.