Setting PERMISSION_SECURITY to ‘secure’ configures polkit to requires users administrative rights to power off and reboot the system, but it still allows them to do so from the login screen.
Is it possible to deny users from rebooting or shutting down the system from the login screen too (sddm)?
Unfortunately it seems this is not configurable in SDDM (which is crazy) as per this bug ticket on GitHub: https://github.com/sddm/sddm/issues/611
You could try what sddm.conf according to the man page allows:
Halt command. Default value is "/bin/systemctl poweroff".
Reboot command. Default value is "/bin/systemctl reboot".
Perhaps change them to false and/or something else. Although people reported in that thread that even that doesn’t work.
… or, you could switch display managers. In the Yast Software Manager, for example, you can still install kdm, then switch to it.