Securing table creation

How are Postgres administrators (e.g. ISPs) securing table creation?

As I see it, any user may create tables under any database (except
Postgres system catalogs) whether they are meant to be allowed to or
are not. Is this  accurate? I do not see any way to define permissions
for a database regarding creating tables under that database.

This seems like a security flaw. Is that the case?
Suppose there exists a multi-user webserver. There are many
users who have access to Postgres, but not to everything within
Postgres. If there is among the users one that is hostile
(or uncareful) it seems to be possible for this user to create tables
under any database...and insert data into that table. Of course, reads
and writes to existing tables is managed by grants, but not table
creation.

Is there a way around this?
I hope to (almost have to) use strictly database-based authentication
(i.e. without using external password files).
It seems that tables can be created under any database regardless of the
authentication setup in pg_hba.conf (e.g. using a seperate password file
for each database, database-based passwords, etc.).

I thank you.

gh