If you can trust him to develop, maybe you can trust him not to mess with the System Settings?
If his snippet use the MODX processors with $modx->runProcessor() ), his permissions will stop forbidden processors from running.
If he uses xPDO (as he should), the permissions will also apply.
In your code above, you've executed your low-level query directly, which bypasses xPDO. There's no reasonable way to control what PHP code he writes, so if he knows how to do direct DB queries in MODX with your method or PDO, and wants to cause trouble, he can do whatever he wants with the database.
Try this code when logged in as your developer. I believe the permissions will block it:
$systemSetting = $modx->getObject('modSystemSetting', array('key' => 'site_name'));
$systemSetting->set('value', 'New Site Name');
$systemSetting->save();