I've just ran some tests and it looks like when dev 1 only has read-write access to website1 he/she can still install packages to website2. Isn't that very poor design of the package manager? Anyone else know how to restrict access/permissions for the package manager?
If you install content via packages, you need to have access rights on the path you want to place the content to. So if dev1 wants to upload content to /content/site1, he needs to have write create and modify rights, to actually work with that in siteadmin read access is also required.
In your case you should the access rights of the user in the useradmin console to validate what access rights "dev1" has on /content/website2.
The access control is enforced on a repository level, and the pacakge manager cannot bypass this.
Thanks Jorg, in the meantime I've ran some more tests and you're write, the package manager cannot bypass the permissions set by the usergroups. That answers my question