If you do a WRKOBJ WRKJOBSCDE you can set the access to the command. Option 2 lets you change the access you want anyone to have or not to have. You can put *PUBLIC *exclude and just set up for certain user access like a Systems Administration ID or a Group profile and then give what access they can have.
The only reason to block access to the Job Scheduler is that your users have been granted too much authority. And if they have so much authority that they can affect scheduled jobs that don’t belong to them, then blocking WRKJOBSCDE won’t fix the problem — they can still schedule jobs or interfere with scheduled jobs without using the job scheduler.
The problem is that you are using scheduled jobs that are owned by the wrong users or you have given *JOBCTL special authority to users who are dangerous to your business.
In the case of *JOBCTL, that special authority overrides other authority restrictions that you attempt to put in place to protect jobs — that’s why *JOBCTL exists, to allow “special” users to ignore authority restrictions for jobs.
If they don’t have access to *JOBCTL, then the only jobs they can affect are their own jobs. If you have users who shouldn’t be controlling their own jobs, you shouldn’t be letting them sign on to your system.