The recommendation here is that the following command be used in each namespace:
kubectl -n <Namespace> patch serviceaccount default -p "automountServiceAccountToken: false"
which does not automatically mount the default ServiceAccount in any Pod. This implies that for each Pod a separate ServiceAccount with the necessary rights must be created and mounted in the Pod.
Please feel free to contact us for any question that is not answered yet.
We are looking forward to get in contact with you!