The problem is that you give only access to repository areas. But the permission do not apply directly for functionality. That means if you want to effectively disable the package manager for some users, you need to remove the permissions from the repository, which the package manager requires to work properly (it's /etc/packages).
There is no real solution, if your users need to have read and/or write access to /etc/packages, but are not allowed to use the package manager. The only chance is then block access to the package manager, but that's often not possible, because others need to access it.