Can a webapp access a config file I define and put at the Tomcat->Conf sort of level, or am I restricted to web.xml environment variables alone?

You can put config files everywhere you want. You just need to know its exact location, then you can use one of zillion ways in Java to read resources. Canonical approach is to put it in the classpath or to add its path to the classpath, so that you can just read it from the classpath by the class loader. For more detail, see also this answer.

I suspect the answer is no as it would probably be rather dangerous for a webapp to access anything outside the webapp directory.

It’s only dangerous if the client can control/change this behaviour by manipulating HTTP requests accordingly. With properly designed servlets, this shouldn’t be possible.

I don’t want to use web.xml as I don’t want any possibility of this config getting into a production environment.

I’m not sure if I understand your concern. By default, clients won’t be able to see web.xml file (actually, the whole /WEB-INF and /META-INF folders are restricted from direct access by clients). Only when you’ve a badly configured/written default servlet, then chances are there that clients will be able to download and see web.xml file.

It should reside purely in my dev tomcat instance. (It’s just a flag to allow me to bypass certain functionality which, in dev, is extremely slow and not critical to include)

I think it’s a bad idea to download config files from a remote location. This way everyone else can see your config files. You’d need to serve it over HTTPS and put login based access restriction on it. This all is plain clumsy.