> - get the symbols of the compiled image, and fail the build if the above are referenced

He explains how to detect the symbols later in the article.

> - other ideas: eliminating the allocator code from the image? (Why have it there if it's not called?)

Because you want to detect if it is called indirectly by some function you're calling.

"Prevent" has a precise meaning here, which I've had projects that require.

> create a linker warning against malloc, calloc, realloc, ...

This prints something on a screen. It does not prevent the usage.

> get the symbols of the compiled image, and fail the build if the above are referenced

It was used, and now you've detected its usage. It did not prevent the usage.

> eliminating the allocator code from the image? (Why have it there if it's not called?)

This requires attention, and a deep knowledge of all the code. It doesn't prevent the usage, since you’re free to type “malloc()” with your fingers.

Sometimes you need an explosive guarantee!

> This prints something on a screen. It does not prevent the usage.

  -Werror=...?

> It was used, and now you've detected its usage. It did not prevent the usage.

  foo_image: $(OBJS)
       ....
       if $(NM) $@ | grep -s -E 'malloc|...' ; then \
          echo "dynamic allocation not allowed" ; \
          exit 1 ; \
       fi

I guess it's opinion, but these are both "soft" checks, in my eyes. To me, "prevent" means it's not possible. These solutions are external checks, rather than "it literally can't work". In our case, it literally could not be allowed to work.