Since the settings revisions are stored in postmeta of a custom post type, upon saving the settings the corresponding post can get a post_status of pending. Filters can be added for all registered settings to override the current value with whatever value is stored in the most recently published (non-pending) settings revision post.
Add a checkbox to mark a post as pending revision.
Add a custom capability which restricts even admins from being able to publish new revisions, even if you have edit_theme_options. A new role can be created for settings_publisher.
If you select a pending revision to activate (without any changes to it), no new revision should be created but the status should just be changed, with the post date set to now.
When an unprivileged user accesses the customizer (or if the checkbox is marked), the publish button becomes a Submit for Review button.
Settings publisher can select among pending revisions and pick the one they want to go live with.
An unprivileged user can edit a pending revision, and it will create a new pending revision based on it.
When a privileged user publishes a post, their name should be attached to the revision to indicate it was authored by the first user and then authorized/published by the second.
Since the settings revisions are stored in postmeta of a custom post type, upon saving the settings the corresponding post can get a
post_statusofpending. Filters can be added for all registered settings to override the current value with whatever value is stored in the most recently published (non-pending) settings revision post.edit_theme_options. A new role can be created forsettings_publisher.