There are a few restrictive mount options that you can use to increase security. These are noexec, nosuid and nodev. noexec prevents executing anything, nodev prevents interpreting devices and nosuid disables SUID binaries.
Obscurix uses these for some directories by default. If the directory isn't a mount point already, a bind mount is created. The following directories use restrictive mount options: