A data access object is an abstraction layer that sits between applications and the database behind them. This allows developers to use data and remain agnostic to the database structure and code. Theoretically this allows us to put anything in place for data storage, even replacing RDBMS with NoSQL. This is very different from the way we currently have our metadata libraries defined because the database structure is exposed in the tables of the library in EG. Typically our users will either use a Query task or write some code using a libname with the meta engine and SQL code to get to the data.
You are correct, we don't completely "block" our users from SQL passthru, but they don't have individual logins and we don't share the credentials of the service account. A savvy user could figure out how to set up SQL passthru, but the savvy users aren't the core problem we are trying to solve for.