XCMD is a server setting, so it applies to a workspace server without regard for the user accessing the server.

If you really need this (which I strongly doubt, a well-configured server can't be put at risk anyway), you need to define a separate application server context where XCMD is disabled, and use metadata permissions so certain users can only use this special context.

You could try to do it via the WorkspaceServer_usermods.sh file of your workspace server. You can check for the userID and set one of the USERMODS_OPTIONS.

In theory, yes. The documentation for XCMD option says that "it can be restricted by the administor" meaning, this option is compatible with Restriction options at SAS Foundation level.

https://go.documentation.sas.com/?cdcId=pgmsascdc&cdcVersion=9.4_3.4&docsetId=hostunx&docsetTarget=n...

$SASROOT/misc/rstropts/groups

the restriction applies selectively upon the SAS session owner account's login or - better - primary group.

the admin creates a specific SASV9.cfg file in the directory below with the option values set accordingly

<primary group>_rsasv.cfg 

   -XCMD

-this file will take precedence over any SASV9.cfg file globally applied

-if the option value (not the case, here) can also be changed during the sas session, the restriction applies and the change is refused

Never tested. I am suprised this very option is compatible with restriction since it applies only for IOM server sessions.