Linux does have mechanisms to prevent changes to userspace (in particular the Integrity Measurement Architecture), but you’re right that distributions don’t generally implement these in a useful way. Some more locked-down distributions like Google’s Container Optimized OS do use these to prevent offline userspace changes.