Need additional security roles that are exclusive to power apps/power automate separate and distinct from the roles and permission granted to the 1st party Dynamics apps (Sales, Customer Service, etc.) Or the functional equivalent.
When granting a Power License to the 'citizen developer' they immediately have access to all the fields for the set of tables used by the first party app provided by their role. All the extra controls on data validation, formatting and integrity provided by the 1st party app are bypassed and they can practically do what they want without the same control.
Leaving aside the obvious security gap, it places the 1st party apps at risk to data integrity issues.