Can they theoretically develop a WP plugin to access the files (or even WP config, including DB credentials) of another WP installation?
Yes, your installations are sandboxed at the server/host level, not the WP level. If your users have the ability to upload plugins or edit PHP, then they can easily upload a version of the
emergency.php targeted at the other installs and reset the admin password. Likewise they could insert a PHP shell.
It’s also much worse, if one of those sites gets hacked, all of them could be infected. You also have a more difficult time with backups
If you are concerned for security, you should fix this immediately.