This is the answer I got from another guy that seems to be an experienced WordPress developer.
He is basically saying that a WordPress Admin of one installation can access and do what he wants to any of the sub folders in the hosting account since he can execute any code he wants.
I understand that for the right hacker anything is possible. I want to know if someone with a bit of programming skills can do some damage. Not if a worldclass hacker theoretically could do something.
Thanks again for your replies.
In short no.
The long answer. As an admin they have complete control of the content and options of the site, and (usually) what code is executed on the server. You can disable plug-in & theme editing/installing:
define( 'DISALLOW_FILE_EDIT', true );
define( 'DISALLOW_FILE_MODS', true );
(in your wp-config.php) but they can still do 'damage' by irrevocably deleting data (backup?).
In your context you seem to what to preserve the user's ability to "download plugins etc". In which case you're explitly allowing them to execute any code they want on your server - they can do this with just access to the theme/plugin editor. If you've got multiple installs in sub-directories to the root folder allocated to by your host, then in general those other installs would also be vulnerable.
(If you're running multi-site, then yes, obviously each site in the network is vulnerable.)