The sudo mode should be the answer to your problem. The sudoers can be customized to allow only what the Unix admins want to allow. That may cause problems however, if the jobs starts an allowed scripts that invokes commands not allowed under the sudo profiles, or accesses directories not allowed via other methods.
When the Unix agent runs as root, it basically executes su - <user> -c <command>. The sudo execution does the same under sudo supervision.
There is no way that the Control-M admins can go around this sudo configuration, unless they have other user or permissions to change the sudoers files, in which case, why bother...
The control-m server security is set mostly so the schedulers will not be able to do what they are not allowed, but a Control-M Admin can change that as they see fit, so it is like telling the Unix security person that they cannot perform security changes. You have to trust someone at some level, and that is where checks, balances, and processes come into play.
I would upgrade your agents to v9 FP1 (at least) and implement the sudo feature, and test it, as with restrictive security you may run into other problems, like SE Linux settings and such.
Hope this helps. Let us know if you have questions.
Thanks for the detailed response - I'll do some testing but based on your reply I think this is the solution we should go with.