I am afraid it is not possible to avoid all the problems you mentioned if all sites resided within the same Kentico instance.
However, access levels to custom web parts can be created using the following Kentico extension - Web part restriction according to roles. Basically it will enable you to select roles for which you can control the permissions. But global administrators will still have full permissions no matter what.
The other problem regarding publishing the application while not affecting other running sites cannot be avoided unless you split the sites into multiple Kentico instances.