And this is why permission to change items definitions and use for example external checks is available to zabbix users with "Zabbix Super Admin" user type.
You can just assign user to only "Zabbix Admin" to block access to Administration menu.
If you want to control what is really execute from zabbix user you should use SELinux (on Linux) or RBAC (on Solaris and *BSD).

So the ability to get a remote shell is part of zabbix, correct?

Other than changing user level access to either admin or user, this "ability" cant otherwise be disabled?

No. TTY access is not part of the framework.
Generally on server are at least three possibilities:
- external check where name of the key is name of the script which will be executed from proxy or server (if external item is on the host monitored without proxy)
- trigger script: If Zabbix super user defines over Administration->script is possible to execute by click in Host column one of the defined in Scripts actions
- execution of the command/script as result of action when state of the trigger is changing (Configuration -> Actions -> trigger action -> Operation type=Remote command)

Other possibilities are related to processing trigger over media where is possible to define custom media on which processing will be executed on server side command with passed some details about trigger which just changed state.

All those possibilities are used in non-tty mode as well defined (over web interface) set of commands with parameters.

Without those possibilities will be not possible many things.
Possibility to define actions, new media, external scripts or other are available only for "Zabbix Super Admin" so this priv should be granted carefully.
Additionally all changes made in media, actions, items definitions, assigned templates ets re logged in audit log. At the moment to be honest access to audit table where are stored audit records is RW for zabbix DB user so in practice using for example trigger menu script it should be possible to execute DB client command to wipe out some audit records.

However it is one known possibility how to protect audit records.
It is possible to guarantee malicious changes in audit records by granting insert only priv to zabbix DB user, disable audit table housekeeping (Administration -> General -> Housekeeping -> disable audit HK) and do housekeeping of this table by stored procedure executed for example daily by SQL event which will be deleting oldest audit records). Such procedure needs to be executed from separated DB user which will have delete priv.

Is this still the same on newer versions of Zabbix 5.4 or 6.0? Can the global script execution on zabbix server be disabled similar to agent or proxy configuration in 5.4 or 6.0?