You'll get a lot of information here:
Seems there is little a developer can do that could cause serious harm (except spoiling the code itself !)
You should forbid access to certificates (if I remember, done in Roles).
Could call support to get further advice:
Your 'safetly measures' comfort should principally lie in the contract/legal agreement between you and other individuals based on what they have been hired to do.
Once that document is in place, you can then look at the mechanics involved in each role, keeping in mind the difference between Account/Member Center roles and App Store Connect roles - 'Developer' is basically an ASC role, with certain abilities in the Member Center.
See...- ASC User Roles:
Role Permissions - what each role can do is broken down here by topic...
- Program/Member Center Roles
- Search Ad account roles: