"lockdown" a content host

I have a content host that hasn’t been patched in a very long time. However the application owner needs this host to NOT be upgraded. This is a finance system.

Expected outcome:

I want this system to not be updateable beyond it’s current software packages, but still be able to apply security patches.

Foreman and Proxy versions:
Foreman 3.9.1

Foreman and Proxy plugin versions:
Katello 4.11.1

Distribution and version:
redhat 8.9

I also want to prevent another well-intentioned admin from running “yum update” on it…