Can a global admin for Office 365 be demoted to "read only", after the Securlet has been setup correctly?
Yes. It is possible to set up the Securlet with Global Admin privileges and then demote the admin to read only after it is set up. Since this is all on the Microsoft side, this could be subject to change in the future. So it is not necessarily recommended, but possible.