The recommendation here is that the following command be used in each namespace:
kubectl -n <Namespace> patch serviceaccount default -p "automountServiceAccountToken: false"
which does not automatically mount the default ServiceAccount in any Pod. This implies that for each Pod a separate ServiceAccount with the necessary rights must be created and mounted in the Pod.