As you mentioned, PLUSDSPLAN is the only net new application and should ensure it is removed from security access for those you don't want to use the app. Don't write data restrictions or make any other changes to try and make it unusable because those won't be evaluated when it comes to licensing. As long as it doesn't exist in APPLICATIONAUTH, you're good.
Calibration and Linear being embedded into apps is complicated. You can't simply hide the functionality using your own signature options. We look for permissions that are tied to that license key and see if your user is granted access to them. You can find the permissions using:
select * from sigoptflag where flagname='LICENSEKEY' and value='CALIBRATION' and app!='MULTISITE';
Make sure your users (that you don't want to be using Calibration) do not have those permissions. Some of these permissions are granted out of box to the EVERYONE/MAXEVERYONE group which is why you're seeing most of your users calculate this way.