SECDEBG is a script delivered with CA TPX that is used to trace communication between TPX and external security during the user signon process.

What are the recommendations for securing who can access the SECDEBG ACL within CA TPX?

First, this ACL is only run from within TPXOPER. You can check who has this Operator authority with TPX batch. See this KB article for instructions on how to do this: 

There is an option within the Command Authorization Class (CMDT) to restrict submitting any ACL but it our opinion that this would be too restrictive to implement across the board. 

Finally, the only other suggestion is to perhaps create a custom version of SECDEBG that starts with a userid check. 
--- Keep custom ACLs in a PDS concatenated ahead of the delivered CB0VSCRI in your ACLLIB DD. 
--- Can also add security rules to restrict access to this library. 
--- The only caveat is that you have to ensure any future changes to SECDEBG are incorporated into your custom version, but it does not change too often.