Users can do two things:
1. Users can open the style selector and then replace the Style ID in the URL to change the selected Style ID stored in their profile. So long as the xf_token is in the URL, the selection saves, but only the default style will be displayed. This is annoying, because my user's selected styles appear in their postbit.
2. Users can load a simple userscript to replace the style ID in the "css.php" stylesheet declaration. The css.php file returns the correct CSS values, even if the style is hidden/disabled and even if the user is not an administrator. This allows the user to actually "see" and "use" the disabled style.
I'd rather that members not be able to do either of these things, because if I have a style disabled, I usually have it disabled for a good reason.
I'd like to be able to prevent both scenarios, if possible.