Answered my own question...
Synapse SQL Administrator gives db_datareader and db_datawriter on serverless pool databases. Instead, customer can create a user in synapse serverless and assign only db_datareader. This user/account does not need RBAC in Synapse Studio, but needs Storage Account Reader RBAC
Configure Database-scoped permissions
You can grant users access to a single serverless SQL database with the steps outlined in this example:
Create a login. Change to the master database context.
--In the master database
CREATE LOGIN [alias@keyman .com] FROM EXTERNAL PROVIDER;
Create user in your database. Change context to your database.
-- In your database
CREATE USER alias FROM LOGIN [alias@keyman .com];
Add user as a member of the specified role in your database (in this case, the db_owner role).
ALTER ROLE db_owner ADD member alias; -- Type USER name from step 2