Well, it looks like LES secures binaries, paths, profiles, shells, and groups by setting chmod and immutable on significant things. Files/paths defined in opt.dat of the install. But I'm not so sure that these settings jive with what cpanel is expecting -- especially while running les --disable-all.
I could maybe see using this to secure binaries, but the rest scares me a bit as far as cpanel is concerned. My worry is in the disabling of LES that sets those paths,etc. to 755, when that may not have been the original permission. It's a one fell swoop type of thing that assumes a lot.
If I get time I'll look more closely, but for now I'm sticking to manually securing these items as needed. Just my $0.02