Builds that are run on the controller can read or modify files in $JENKINS_HOME. This can be used to perform all sorts of activities that impact the entire Jenkins installation, such as installing plugins, reading credentials, creating new jobs, etc.
In an environment where there's a distinction between people who administer Jenkins and people who configure jobs or commit changes into projects being built, you should generally configure the controller to have no executors, and run builds only on build agents.
To prevent builds from running on the controller directly, navigate to Manage Jenkins » Manage Nodes and Clouds. Select master in the list, then select Configure in the menu. Set the number of executors to 0 and save. Make sure to also set up clouds or build agents to run builds on.
If you do not have any other computers to run build agents, or you can run a build agent as a different operating system user on the same computer to achieve the same isolation effect. In this case, review file system permissions for $JENKINS_HOME.
Alternatively, use a plugin such as Job Restrictions Plugin to limit which jobs can be run on certain nodes, such as the controller, independent of what your less trusted users may use as label expression in their jobs' configurations.