Let me wrap with the following then, at least for now.
If I want to remove SA access rules for a given page, is it obvious how to proceed? In the SA interface? Or by removing a block of code from the page? Of course if so, how to identify the code block?
Thanks for the word on PCI.
The need at the moment is to try to give my client (and me) some sense for the strength of the security provided by SA. In the end that is a fraught question, since there will be no good metric, really. But in today's world, the client, with hard-earned intellectual property, naturally looks for some sense how secure the pages will be, against determined miscreants.
I suppose the base form of the question would ask after any vulnerabilities. Anyway, some sense for strength is helpful in a world where attempts to undo security are endemic.
With appreciation as always, David