1. Limit capabilities on the *USRPRF relates to the ALWLMTUSR() attribute on the *CMD object. It gives you a way to allow command-line access without allowing all commands, but if they can use a CALL command it won’t restrict which program they can call. *PUBLIC *EXCLUDE will stop them unless they have explicit authority or *ALLOBJ (see below).
2. To access on object you need various rights to the object depending on use, plus *READ rights to the *LIB. If the lib has *EXCLUDE, you’re safe – except for *ALLOBJ.
Think of *ALLOBJ as a complete bypass of the normal object level system authorities – if a user has *ALLOBJ then normal object / library level authorities will not stop them. (This is why it should be _very_ restricted).
As for attention key programs, it all depends on what the program does. If it just brings up a menu then they can only do what that menu allows. As a developer I use one that calls QCMD so that I can start the interactive debugger in the middle of testing a program. Not something to give to your average user.