from my understanding, it depends on how the smart contract of the token/coin is created, and in some cases [name of project withheld ] though minor, it is possible the developer(s) can unsolicitedly debit a user for a token. It may be arguable if this is right or wrong though, and if the developers have such rights to do that
moreover, i think this flaws the concept of Decentralization and blockchain, and as such would taunt the name of the project(s) in question, that would be bad for business