Can API be disabled?
Just don't create any API keys?
You can create API keys if you know the username and password (and 2fa token if 2fa is enabled). Granted, if you know those, you can probably just log into the Manager too, but last I knew, API auth bypasses IP whitelisting.
If our linode is doing what it needs to do and nothing is being added/changed, can API be disabled?
It's not possible to disable the API, but if you enable 2 factor auth, it won't be possible to create API keys without that, so it'll be effectively unusable.