I might have found at least, an itsy bitsy hole.
Normally a user without administrator privs. cannot add items to the /Applications directory without the authenticating with an Admin account. However, in terminal, someone can invoke rm <folder> into /applications without having to authenticate.
Normally a user without administrator privs. cannot add items to the /Applications directory without the authenticating with an Admin account. However, in terminal, someone can invoke rm <folder> into /applications without having to authenticate.