Is there a setting that can prevent jobs from running as root and use another default non-root user?

Release : 12

Component : CA Workload Automation System Agent

The agent has security feature which can be turned on, see here for more details.

Add the following to the agentpam.txt

security.level=on

Here is an example for allowing a user and denying root

c a * * *
f a * * +
x a USER1 usera +
x d * root +

The USER1 is the user that submits job from your Manager.  The user is the OS side user and they are allowed.  The USER1 can be substituted for * to allow any manager side user (or prefix) to submit jobs to the agent.

The root is denied for any jobs.

Note: Once security is enabled, only the allowed users in the security.txt will be able to run jobs.  If another user exists in the OS, but not in security.txt, then the agent will deny jobs from that user.  

Changes to security requires restart or agent.