Exactly - for this type of users i would disable the create own notifications inside the user role or better create a role copy and disable the not wanted settings there.
For this point there is the default rule - notify for every contact. This rule has also a set condition.
You must think about the notification system more like an external application that only gets the data about an event and some other information but no direct logic what to do.