A little late, but maybe someone else finds this interesting, too.
Another hint I read about once was to remove executable functionality from
places where it isn't needed. In this example you could have /tmp on a
separate partition and enable the nosuid,noexec flags (see man mount).
Keeping writable directories on partitions other than the ones your system
resides on can also be beneficial when someone might try to fill up all
diskspace to cause you trouble of some sort.