Heh. You have to basically give it full shell access, and access to all of asterisk, so it's not actually DOING anything. So that's why we say turn it off, and it's the standard response. People don't know what they're doing, and go crazy trying to lock things down, and end up with a broken system.
Amusingly, this is EXACTLY what you have done trying to lock things down.
I'm not sure if that'll get past peer review. By explicitly defining a shell, you're significantly reducing security. If someone has configured the asterisk user to use rbash or similar, because they have a good reason to, and they know what they're doing, that bypasses their security.
However, I don't get to make that call. Feel free to create a pull request, and we'll have a look at it.
However, what I think WOULD be a much better thing to do is to actually add a check to install that validates that the user hasn't erroniously set the shell incorrectly.