for system hardening, nscd should automatically create install a seccomp filter on itself, and for its children. see the libseccomp project for more details: https://github.com/seccomp/libseccomp the kernel allows for this to be turned off, so we need to test for it at runtime.
We need to consider that NSS service modules can do basically anything, so a high-quality implementation is difficult. An initial implementation could be restricted the the files and dns modules.