Unfortunately this bit is under the control of the device itself, so a malicious device can just ignore this and do DMA anyway.
Fortunately, PCI bridges and PCIe root ports should only forward DMA transactions if their busmaster bit is set. If we clear that then any devices downstream of the bridge or port shouldn't be able to DMA, no matter how malicious they are. But this did have the potential for breaking devices that were still carrying out DMA. Possible solution is to call the driver shutdown code for each device behind a bridge before disabling DMA on the bridge, which in theory makes this safe but does still depend on the firmware drivers behaving correctly.
Bonus: 1bit infoleak (Commit)