A1: If a user has permission to create a SLA (per the idash-sla policy) and has access to certain jobs (per the as-job policy), then they are able to create SLAs based on the jobs they have access to. If an SLA references a job that a user does not have access to, then they will not see the SLA.
A2: Double check the EEM as-job policy and make sure the default as-job policy is not enabled. If the proper as-job policy is set in place and the default as-job policy has been disabled, users should only be able to the SLAs associated with the jobs they have privileges on.
A3: The idash-tag policy allows users to see all tags and create all tags. If a user is not supposed to be able to see a tag (or create a tag), you need to create an Explicit Deny idash-tag policy. In the Resources, you will specify the name(s) of the tags they shouldn't be able to see. See EEM User Permissions on iDash Tags