I NEED them to be able to install their own plugins and themes.
Then you can't use multisite. Sorry, but it's that simple.
There is a list of maybe 5 single plugins I dont want them to have access to. not all of them, just a few.
There's no built-in way to disable these sort of things. If you actually went down the multisite route, then yes you can contorl what's installed. If you go as single instalations, which you will need to do to allow plugin installation, then you can't block them installing plugins.
The only thing that I'd suggest doing is setting up a searching script that will look at all of the WP installations and see what plugins have been installed and see if any of them are on the "bad plugins" list. If they are you can alert the sites owners and tell them that they must remove it. Don't try to remove it yourself automatically because you never know what you might break if you do, and you really don't want to be the one breaking a clients website for any reason.