create a test product - on Products page in Admin area, click on settings tab- Access Control List and Customer Roles attributes are present in Product Settings - I do not think This is not required here to be made configurable by vendor / non admin  user.
Hackers can write a plugin related to product functionalities and access these attributes  to overwrite the customer roles setting to Admin or other privileged accounts.
As far as I understand, these 2 attributes should be removed to be configurable in product settings.