An engineer SHALL have root on their own machine.
I know all about PCI compliancy and the weight of the phrase your CEO will go to jail if you don't harden system X. Still, any devops worth their salt will put their developers on a secure dev subnet where they can't make mistakes or pose any threats. But please make sure all the required ports are open!
Also: what better way to tell your engineers they're special by telling them they're allowed to make a mess in their own room?