You can use security features like access role to objects, access deny, privieleges etc to configure such security settings. e.g. to restrict changes to Access groups, you can create an access role to object against Data-Admin-Operator-AccessGroup class and mention proper production level (e.g. 0 to deny access) against update/delete instances.
Similarly, this can be extended to other relevant classes as required