Hi Marianne
1. Batch users (system user type) are often required to execute programs which may call transactions, perform BDC sessions using real transactions, processing failed IDOCS etc. Where there is this requirement then the system user will need to have that authorisation to perform the task and transactional access is necessary.
2. Please see above.
3. The risk of assigning transactional access is usually considered to be within acceptable levels. Many system ID's have SAP_ALL which, while not a great idea for so many reasons, is at least tolerated by most risk managers. Generally it's expected that access to schedule jobs using system users is restricted to only those who need to do it (system admins & in some cases superusers depending on use cases). It's also expected that the system user has access proportionate to the task they perform. If we use external audit as the ultimate reference for risk (has it's drawbacks but it is what it is) then it is unlikely that a serious deficiency will be raised due to a system user having some transactional access. More concerning is lack of restrictions over the general user population being able to manage batch jobs (including switching userID for execution).
Hope that makes sense.
Cheers