Overall, this seems reasonable to me. I like separation of each server/instance to its own account and its own backups. Anyone logging into a server could run IE, and someone will. I'd bet someone has. Humans are often the weak link, so limiting access is always good. There are holes and bugs, and as we've seen the last couple weeks, potential hardware issues with SQL Server.

That being said. Development shouldn't be restoring production directly.   I know you might not have PII or sensitive data, but you're creating an attack vector for data to be lost/released. Or is Dev secured tightly? I assume you're running DBCC in production? If not you need to or restore this elsewhere and run it there. For refreshing dev, you can implement a process to copy the backup file, though I'd want some obfuscation/masking to take place before development gets the data.