ps: Look to see who has object type FUGR with ACTVT 16 as well.
That is also the same as SAP_ALL actually as remote FMs don't check your authorizations and update FMs are not meant to check and auths.
In the same way, the debugger does not check application authorizations (such as changing account number or setting sy-subrc to 0 after failed checks.
In both cases you can control at the object name level, but you cannot effectively control at levels such as org. fields and document types etc.
--> Remove the dedugging from "normal" operational authorizations. Throw it over the fense into a controlled emergency use concept.
Cheers,
Julius