Kubernetes automatically places a token and certificate in /var/run/secrets/kubernetes.io/serviceaccount of each running container in a pod. This token allows access to the the API Server from any container.
Is it possible to either prevent this directory from being added to a container or specify a service account that has zero privileges?
That token has no explicit permissions. If you run with any authorization mode other than AllowAll, you will find that account cannot do anything with the API.
If you want to stop injecting API tokens, you can remove the service account admission controller from the list (in apiserver options).
If you want to stop generating tokens completely, you can remove the private key argument from the controller manager start options.