How to disable Shell access to the Jupyter Notebook docker images?

I have a JupyterHub with a
dockerspawner.
I only partly trust the users so that I want to restrict their access to the system as long as it is connected with a reasonable amount of effort.
Is there a way how I can forbid the default user ‘jovyan’ to install new packages/libraries/…, use the network, open a shell and/or issue commands, including all the standard tools of python (os.system, subprocess, etc.)? Is there any project you are aware of?