There are two things to be considered, first is data protection and second is unauthorized use of that data (i.e. execution of any other user's scripts or codes by any unauthorized users).
To avoid any unauthorized execution, you can set SUID on particular files. As far as I know noexec will even not allow the owner to execute it.
Second, for data protection, you can consider sticky bit permission on
/data for better protection of this sort of data which is accessible to many different users. Sticky bit will allow only the owner of directory, owner of file or superuser to modify the content. It's quite simple and easy, as: