Having sa own all databases isn't a good security practice.  Have a look at this article.  We go with number 5 in the Possibilities section here.  Adi is right about your application users being sysadmin - you ought to challenge the vendor on why that is a requirement.  Maybe it was only necessary so that the database could be created during installation?

John