This is very interesting, I've never seen something like this done before. So I have one more question. Why not SIGSTOP'ing most processes then, and only keep running those that are vital for making it possible to unlock the system later (frankly, I don't know which ones would those be)? Or is it too hard to figure in a script which processes to keep running and which ones to stop?

When a script evolves into anything more than a sequence of simple commands, I switch up to perl :-)

The perl for implementing this would be easy. The hard part would be working up a list of processes to not stop. Once that is incorporated into a regex ($keepers), sending SIGSTOP to everything else is a one-liner:
Or split out into simple statements for readability and using a precompiled regex:
And then to issue SIGCONT to the stopped processes we can just pass the whole list to kill:
The $keepers regex would be something like /(\[|$$|sshd|xlock|Xorg)/ .. I'd include sshd in case I needed to ssh into the laptop while it was locked. The "$$" is perl's builtin for referring to its own process, so adding $$ to the regex would prevent the script from stopping itself. The "\[" would match the kernel processes and init (which shows the runlevel in []'s).

To stop all processes, not just those owned by the user, the script would have to run as root. If it's not, though, then the kill statement would silently fail to issue SIGSTOP to other users' processes and no harm done.

I probably won't use this logic in xlament any time soon, because it's bumping into the point of diminishing returns. When I killall that scant handful of processes, the load average sinks to about 0.01, which is good enough :-) no need to add complexity beyond that.