You touched on an important point: the mitigation of LOLBin attacks on KIS isn't actually very strong. I had already considered it and I have not yet had time to try if it is possible to do something on KIS (create specific rules).Your KIS setup is very strong, especially for unsafe applications/DLLs/scripts (TAM). I am not sure if it is equally strong for LOLBins and fileless attacks, but it can probably mitigate most of them in some way. Many such attacks can be done via the weaponized MS Office documents. Normally, SysHardener could be tweaked to harden MS Office applications. But on SUA, the SysHardener's hardening for MS Office does not work.
I do not think that your setup requires any modification. Please, treat my notes as some theoretical considerations.
SysHardener is tweaked, but I wasn't aware of its limitation with Office in the SUA.
Your considerations and advice are always welcome, so tell me if you have alternative proposals to recommend.