1. What I would do is delimit the entire solution - into separate projects - components, into separate repositories.
2. Gave access to the new developer to the repositories he needs, let him have fun there, let more advanced developers approve changes to his code after checking his code, for example.
3. Of the harsh protection options - developing on a virtual machine through the same vnc / rdp with a ban on synchronization of the clipboard of the terminal connection and the machine on which it is running, i.e. the standard feature is to copy the code in the rdp session to the clipboard and paste it into notepad on the working machine with which you connect via rdp will no longer work - to pull out the code you will have to take a lot of screenshots - this was practiced by a friend in the office, but there the software is very bank-tricky, and the virtual machine was reset to the default state after the end of the working session and had access only to the development servers, the production servers were maintained and the code on them was laid out by verified employees in another department.

The question itself already contains the answer :) If you have separate servers for testing and a separate virtual machine for development, then you just need to close access to the production base/server.
And on test servers to use test bases. If you need a lot of data, generate it.

And what's the problem with just not letting them into combat servers? In the sense of why not raise a local database with fake data?