SELinux and protecting users .ssh folders

I have seen a lot of sudo rules that were badly written and allowed some sort of privilege escalation, and I was wondering if SELinux could be leveraged to prevent that. Here is an example:

I am assuming I have a confined user named “confined”, that is able to elevate privileges and gain root access.
To give a practical example:

useradd confined -Z staff_u
echo 'confined ALL = (ALL) NOPASSWD: /bin/cat' > /etc/sudoers.d/confined

we authorize our public key, log in as “confined” user, and we can verify that SELinux works great:

# case1:
[confined@raw ~]$ sudo cat /etc/shadow
cat: /etc/shadow: Permission denied
# case2:
[confined@raw ~]$ sudo cat /root/.bash_history
cat: /root/.bash_history: Permission denied
# case3:
[confined@raw ~]$ sudo cat /home/cloud-user/.ssh/id_rsa
cat: /home/cloud-user/.ssh/id_rsa: Permission denied

however it’s still possible to access the .ssh folder:

# case4:
[confined@raw ~]$ sudo cat /root/.ssh/id_rsa | head -1
# case5:
[confined@raw ~]$ sudo -u cloud-user cat /home/cloud-user/.ssh/id_rsa | head -1

it is possible because while /root has label admin_home_t, /root/.ssh is labelled with ssh_home_t which staff_u can access. Also if confined can really elevate privileges to root, it can also change user and read other users data as well.

It seems that it is the kind of threats that SELinux is made to help defend against, so I was wondering if anyone had any insight on possible ways to configure that better. Thanks!

case1 and 3: permission denied because of missing dac_override and dac_read_search capabilities
case2: denied because staff_u cannot read files labelled admin_home_t
case4 and 5: are allowed as staff_u can read files labelled ssh_home_t and there is no extra capability needed.

So SELinux is just working as configured, and is not really useful for my usecase, so confining the users in the hope of reducing the exposure of badly written sudo rules does not bring much.

EDIT2: in fact it is completely useless as I can also run

sudo -r unconfined_r cat /etc/shadow