In general, "he-asked-myself-answer." The lshell
shell does a good job of solving this problem . The main disadvantage of using chroot to solve this problem is that for the user placed in it, it is required to build a (albeit minimal) environment. That is, you need to duplicate some data, keep track of updates, etc. Lshell is a user shell that allows the user to execute only certain commands and go to specified directories. The config is very simple and understandable, so I figured it out in 10 minutes and already tested this bundle.
After installing the package from the standard Debian repository, you need to slip lshell as a shell to the user and add user parameters to the config, where you need to specify a list of allowed commands, and optionally add directories.

Chroot makes the most sense.
You can change the permissions on all binaries in /usr/bin and similar places so that the user has read permission only for curl. But this is too sweeping a crutch, as I think.

Iron Bars Shell is a restricted Unix shell. The user can not step out of, nor
access files outside the home directory. It is written in C for Linux. No
libraries used. It is small, fast, secure. Two ascii configuration files for
more control.
www: ibsh.sourceforge.net

ACL / chroot will still be more reliable so that you do not have to update - mount --bind . And then you know curl file:///etc/passwd, and anything can happen.