Thanks for getting in touch. The variable snapshot is part of the release and in the permissions falls under editing the release permission: ReleaseEdit. So the answer is no, there isn’t a finer grained permission you can use to achieve this.
Every action in Octopus is audited, your instructions to that specific team can be they should only update variables not manipulate anything else, if they ever did you would see which user did in the audit history.