If you ignore the 2 ways in which they can't stomp on each other, then they can't. In practice, however, I can write a script that will take 100% percent CPU, bring the database to its knees and http_get gives me a great way to saturate bandwith as well.
You need a lot of trust to let people (potentially) do that. You have to trust that they're not malicious and skilled enough that they won't do something like that by mistake and not making mistakes is a lot to ask from a human being.
This is, however, not a problem specific to ACS. All you need is a system powerful enough to let you write an infinite busy loop.
There are ways to mitigate this problem (setting user limits in OS) but I'm not sure how well they work in practice. It looks like a battle you cannot win.
