But could you GRANT EXECUTE ON SCHEMA TO ROLE? That way only the necessary objects are contained and it would simplify future user set ups as they only need adding into the role.

Admittedly there would be some initial pain in adding the objects to the right schema.

I really fancy exploring the DDL trigger method now.....