I think you should be able to modify their user ids and limit what they can do. Check into object authority, group authority.
The data files should be limited to *public view
and your rpgle/cobol programs should use owner authority
with the “owner” having full data authroity to the data.
If you have the users using their green screen access to run the programs and then they use that same access to use the data vis ODBC, there is little that can be done except to take away their update/write capability and front end their application menu with an adopted authority that gives the users via green screen the access they need. Then they would not have anything but read only access.
You will also have to front end any jobs that submit their requests to batch as the adopt authority does not follow along but a routing program that calls a program just to adopt a profile with the same authority as the inital call program menu will work just fine.
This can be a lot of work and testing to get this functionality working but well worth it to the company and the auditors 🙂