You could very easily limit access to those buttons as you suggested, in fact, that would be my first choice in this situation.
Regarding limiting which items you have access to sync, there isn't really anything OOTB other than what you already suggested.
I know you didn't want to write any custom code but you could take a look at the global event handlers for staging and simply perform some checking for users in a specific role or roles and simply stop the sync. My guess is you'd write 30-60 lines of code, if that, and gain a huge amount of customization. You could even make it generic and have it look to see if the user is part of a role you specify in settings. You'd have to create a module within the Kentico UI and set the form control up but then you can easily add/remove roles who would be able to sync items. You could then even more specific and create settings for each role that have page types or objects that role has access to.