One very simple option would be to kill all queries which take more than a few hundred ms, or which return over n rows, and send an alert. Such queries are almost always slow, and tend to stand out amongst normal traffic.

Doing so keeps your db responsive against programmer errors and limits data exfiltration. I've been doing this for the first reason for years.