Can you use a Herald rule like this?

For: Commit Hook: Branches/Tags/Bookmarks
Type: Global

When [ all of ] these conditions are met:
[ Ref type ][ is ] [ branch ]
[ Ref change type ] [ has bit ] [ change creates ref ]
[ Repository ][ is any of ] [ X, Y, Z ]
[ Pusher's projects ] [ do not include ] [ super ultra trusted users who are great at git ]

Take these actions: 
[ Block change with message ] [ You aren't allowed to push new branches to this repository. ]

The "Pusher's projects" rule could be some other qualifier (e.g., only administrators, etc).

The "repository" rule could be something like [ Repository's projects ] [ include ] [ no branch pushes ] instead, then you can add that project to all the repositories you want to enforce this rule for.

Oooooh. Nice.

The "Pusher's projects" rule could be some other qualifier (e.g., only administrators, etc).

How does this work? It looks like I can only use projects, not "Administrators"?

Oh, I suppose there's actually no way to specify "Administrators", per se, right now. We could maybe add one after T8726 wraps up.

T8644 also discusses writing a "recipe book" for Herald, since there are a lot of things like this which it's powerful enough to do but where the pathway isn't necessarily obvious.