from my understanding, it depends on how the smart contract of the token/coin is created, and in some cases [name of project withheld ] though minor, it is possible the developer(s) can unsolicitedly debit a user for a token. It may be arguable if this is right or wrong though, and if the developers have such rights to do that