Yes, it can - for instance the Matrix servers that the French government runs do this by default already. We haven't exposed this as a config option and pushed it into mainstream Synapse yet because of https://github.com/vector-im/riot-web/issues/6779, but the tweak for doing it is:
Is this true? As far as I know, even in rooms with m.room.encryption, you can still send normal m.room.messages. Or does the config option you're describing automatically setup room PLs such that m.room.message can't be sent?
technically you can still send normal m.room.messages (or anything else), but any spec-compliant client will refuse to do so in a room where m.room.encryption has been enabled.
https://github.com/matrix-org/synapse/pull/3426/files