Background

So far, mount -o ro,rbind has not been recursively read-only.

Kernel 5.12 added a new syscall mount_setattr(2) for supporting recursively read-only mounts, but this syscall is not currently used by the mount(8) command of util-linux.

struct mount_attr {
	__u64 attr_set;
	__u64 attr_clr;
	__u64 propagation;
	__u64 userns_fd;
};

int mount_setattr(int dfd, const char *path, unsigned flags,
                  struct mount_attr *uattr, size_t usize);

struct mount_attr attr = {
  .attr_set   = MOUNT_ATTR_RDONLY,
};
rc = mount_setattr(-1, "/mnt/ro", AT_RECURSIVE, &attr, sizeof(attr));

RFE

I suggest defining a new mount(8) option string "rro" for supporting MOUNT_ATTR_RDONLY + AT_RECURSIVE.
"rro" is chosen for consistency with other existing option strings like "rprivate" (recursive "private").

The behavior of the existing "ro" option should remain unchaged, for compatibility reason.