@tjur Your question is an interesting one - as I do use DT3 within my small company and have pondered related issues.
The truth is - as much as I am a terrific DT3 fan, it seems to mostly be intended for and used by individuals or perhaps small family units or very small work teams.
While DT3 shines in automation power, it lacks the auditing and granular security features present in most corporate databases. Frankly I think it would be very hard to implement that security without losing automation capability.
I think the most practical solution in a work environment is to give DT3 Desktop capability only to a few extremely trusted employees (“trusted” not only in an ethical sense but also in a technologically-sophisticated sense). For the rest, DT3 Server provides access to essential data with most of the ability to wreak automation havoc removed.
Beyond that - you can do as I have chosen and create some web apps for targeted DT3 tasks which do not offer access to the rest of DT3: