I have a Affiliate user group that is very locked down - they can only view certain apps, use certain resource and so on. Also the All Users group can basically do nothing.
If they go to their Default Workspace like this:
It opens the normal App view, all of the Create App/Database/Resource options show up. These are not functional thankfully!
If you click the hide link in the upper right is goes away and I can't find a way to get it back.
But the Query Library tab is there and they can make changes there!
This is on Cloud.
Thanks for flagging this @bradlymathews!
The Create App/Database/Resource issue repros for me as well, I'll pass it along to the dev team.
For the query library issue - what permissions do those users have on the query library?
In order to fully hide the QL tab they would need to be set to No access in all of their groups:
With Use queries in apps they should be able to see the QL tab and run the queries but not edit them.
I missed that setting in All Users - was set to Edit queries there. I now have All Users set to Use queries in apps, editors and admins to Edit queries and everyone else to No Access.
Now they can still see the queries, but not edit them. They really, really should be even be able to see them though. We will be giving customers access to certain apps and we don't want them seeing any of the sausage making or other proprietary secrets. Anything else I am missing?
Not that I'm aware of 
I surfaced it as a feature request with the dev team. And will follow up here if it gets included.
