You know your business more than us so as long as you go in educated, I am happy. 
For example, if you did an integration and someone made a helper app for Quality, then you have two places to make the check. Add another app, etc etc. Yes - I am possibly over engineering for future proofing so feel free to ignore the discussion 
Instead maybe a BPM? (since you are uncomfortable with the field security - understandable since that really feels like a dev or dba UI rather than a power user ui)
On SalesOrder MasterUpdate prevent updates when the user is in a certain group? There may be a couple of methods you need to block changes upon from SO but with that approach, it’s one change for any other UIs.
I am sure others will have some ideas but if we have strayed into over complicating, that’s understandable.