Hi,
they can also go straight to DB table using SE16 and get attachment from there. Right?
Honestly, that case when they really need to have access to change in debugger should be so rare that you can handle it as an exception. Whenever they need it they can submit a request and they will get it for limited time. As Julius said if they need it on daily basis then they are doing dodgy stuff.
The macros could not be debugged. So you could wrap your logic into macro and try to prevent easy change of sy-subrc with this technique. It seems that the new debugger allows macro debugging (I haven't tested it). So you can't try to use this trick anymore. Not that I would advice to use this trick.
I think every change of value in debugger gets logged in SM21 so I would have a look there how often it happens in production.
To summarize, a developer with allowed change in debugger is unstoppable.
Cheers