For themselves, not for others.
Any ‘run javascript’ action in the front-end is manipulateable. They could edit the script itself, or just the results.
A server script initiated on the front-end can also be modified (the content in ‘Node script’ is client-side and can be modified by the user).
You could do that, just make sure you don’t run into this issue re. backend workflows at the same time