If we grant everyone access to IBMFAC "SYSSSM.FUNC" (SYSSSM is the default value of the VKGPARMS parameter SECURPFX) which will allow them to see all objects, will that be the extent of what they get with that permission?  Would they be allowed to touch a data set?
 

Vantage

Users with alter access to the resource named SYSSSM.FUNC are granted access to all objects.
This is access to the objects, not to the Data sets or Actions.
 
Any object can be secured to limit access to it by defining a Facility name of:  SYSSSM.FUNC.x
(See the additional information, below.)
   
VKGPARMS parameter STGADMIN (no default for this parameter) specifies the Resource Facility name that, if a user has access to, permission is granted to actions (line commands) for non-tape related objects.

A suggested value is:  STGADMIN (STGADMIN.VANTAGE)

This is suggested because a site may have other STGADMIN.xxx values defined for other purposes.
 
Your normal security rules would secure access to the data sets.

Configure Security