I'm a newbie at DB admin and have been trying to understand similar issues. So the following might not be completely right; but hopefully it's a step in the right direction and someone with more experience can amplify or correct.
My sense is that what PostgreSQL expects you to do is to GRANT permissions to specific users for specific actions. If someone can make changes from pgAdmin that you don't think they should be allowed to make, it presumably indicates that permissions have been GRANTed them in the underlying DB that shouldn't have been.
I find that if I run pgAdmin as a "regular" user and then try to do something that only a privileged user can do, I get a login screen to enter the "postgres" password. Right now, the only users I have are peons and postgres, so I don't know how this extends to those with intermediate levels of privilege.