I will answer your questions in order. Remember, we have no insight into your environment so these are educated guesses:
- Turning off their accounts should not break anything with the on-prem Exchange server. They only thing I can think of that might be linked is your backup system whether it is Veeam or some other software and/or your Azure AD Connect. I'd try disabling their accounts, let a night cycle run through and see what happened. With Azure AD Connect, you might just have to reconfigure it if it was tied to their accounts.
- With Domain and/or Enterprise Administrator (on-prem) and Global Administrator, you have the most access you'd ever need. As stated in the previous you might have some backup software running, which you should ensure you have access to that software. Additionally, if you are running VMs such as VMWare with ESXi hosts, you should ensure you have all the necessary passwords for that.
- There is no such checklist as every environment is different. Deal with the problems as they come. There is a lot of support out there and surely experienced consultants will be able to deal with issues as they arise.
Good luck and try to stop worrying too much.
If this is helpful please accept answer.