The applications themselves or their accounts only go as high as dbo in the databases. However, for other reasons there are accounts that have sysadmin access that are not tied to the applications at all.

So if I were to create the certs/keys/views and explicitly deny access it would have the desired result. My only concern is that someone at the sysadmin level could create another sysadmin account which by default would have access. Is there a way to make the default permssion for an object 'deny'?