Question on registered user concept

I read the article on the upcoming admin plug-in (http://getgrav.org/blog/admin-plugin-development). I like to understand what is the concept of a ‘user’.
I wonder if that would allow “untrusted but registered and logged in” users to add comments/remarks on blogs? How would that work? Would such ‘2 line comment’ go into its own file ('cause it’s a flat file CMS) or rather a DB row? Could that comment be markdown or would that be a security risk (e.g. crafting special markdown to abuse a parser bug in the markdown)?
Or is a “user” more like a member of the same club, the colleague at work. Or even somebody very trustworthy (like an employee responsible for adding content)?
Could Grav ever be used for an online shop (customers (=users) logging in to add goods to their cart, check out these goods while at the same time being resistant to malicious hackers)?

(I understand Grav is extensible and in theory all is possible, I rather like to get an answer explaining the ‘philosophy’ of Grav).

Thank you