it's a two stage process, an administrator has to first approve the application, and then once approved when a user logs in, the application is allowed to communicate with S50, under the currently logged in users ACL.  Basically, the application abides by it's own ACL, regardless of 3rd party addons being allowed, they run in the current context of the user currently logged into S50.  For apps that run out of context (with s50 closed), yeah they will run regardless, but hopefully you trust all of those apps, because you know, you installed them.  And then an S50 admin approved and created the cert for them to run.  I mean wow, yeah they can login at night and do things, like be awesome, but you allowed it.  Quickbooks has had the same model for 10+ years, it works, don't install shady apps.