One of the most serious mistakes that you can make in a Linux system is to "give someone other than root super powers." That's repeating the old Windows mistake, and it has exactly the same very-harmful consequences.
When you, or anyone at all, logs-in to your system, they should be a non-privileged, ordinary-Joe user. (The same is true in Windows, where they're called "limited users.")
You should designate one account, not normally used, in which to do all non-rootly system maintenance. And you should reserve root strictly for those tasks which demand it.
On any system of any type, you cannot prevent a program from somehow finding its way into your system and being run 'by you.' [All the money you spend on "anti-virus" programs, which try to do precisely that, is (imho) wasted.]
But you can prevent the program from succeeding!
"Nasty programs" require considerable privileges to be able to do their nasty things. On a "typical" Windows system that's easy, because every Joe-user has unlimited powers. But if those same nasty-programs are run by a user with no privileges at all, they don't succeed. They can't.
This is done by very careful design, and it's your best ally.