What if you set up SS to mirror DS, but with a limited range so that any attempt to access memory outside the stack via SS: causes a page fault? Wouldn't any exploit running ESP down into the heap be thwarted by any stack-related instruction (push, pop, or an interrupt?)

The accesses causing issues here are not guaranteed to use SS - that only happens for effective addresses [ebp+...] and [esp+...]. If ESP is copied into another register first (which in practice will almost always be the case) then the access will use DS. PUSH will always use SS but that's not the issue here (that only moves ESP by 4 bytes so it'll always hit the guard page). And in modern OSes, interrupts don't use the user mode stack at all - the CPU will switch to kernel mode and use a kernel stack since the user mode stack isn't guaranteed to be valid.

Interesting. I was just curious if it would be impossible to write shellcode without triggering an SS:ESP access (via call,push,pop,ret) that would page fault due to protection/selector limits, because that seemed like a neat way to mitigate.