If a user has access to your WordPress admin area then they will have access to all the files which are currently installed on WordPress this includes all plugins and themes.
If they have access to plugins they can activate them, deactivate them, delete them, add new plugins. If they can access themes they can delete a theme, edit the files, disable a theme, change a theme. You can control the entire look and functionality of the site just by having access to the admin area.
Most users will need access to the admin area but they will not always need access to plugin files or theme files.
When you have access to the files you can open the theme in the in-built editor and start changing the HTML of the theme. This is a great feature if you notice a spelling error or need to switch a CSS class in the HTML but if someone doesn't know what they are doing they can easily break the look of the site.
The best solution is to have a development site setup where you can make changes to the theme without affecting the live site, then when your happy with the change upload it to the site.
You can actually stop any user from having access to edit the files in the WordPress admin area, which means the only way to change the files would be to upload the files through a FTP.
Add the following to the wp-config.php file to stop anyone having access to the file edit mode in WordPress.
define( 'DISALLOW_FILE_EDIT', true);
Block Plugin Updates and Installation
If you want to make sure that the user's of your WordPress site are not allowed to update and plugins or install any new plugins then you can use the following code snippet.
Add this into your wp-config.php file it will disable access to new updates or installations.
Settings this constant will also disable the theme editor area which the DISALLOW_FILE_EDIT will disallow. If you want both to be disallowed you only need to use DISALLOW_FILE_MODS.