You say you don't want to give access to spigot.yml for security reasons. But not all of the parameters can hurt the server.
I suggest that you add harmless settings to the Settings tab, or somewhere else. For example, you could allow view-distance (set a limit of 4-10 chunks for example), entity-tracking-range, entity-activation-range and some other settings. This would be very useful.
If you don't, please give me your reasons