Yup. You can only add the nopax flag as root, so if your system is already hosed, not much else you can protect. Root has access to ring 0 so anything goes with access like that. Stuff like pax would slow them down for sure and stop script kiddies, but root access is root access.
No privileged accounts can’t do anything with the nopax flag. That’s why you should configure your system to not run things as root as much as possible. Personally; on desktops, I don’t even use a sudoer natively. I have to su into my sudoer account in order to run root commands.
https://www.youtube.com/watch?v=YGyvLlPad8Q&t=1m35s