This section of the docs describes how you can configure users and their permissions: Securing Node-RED : Node-RED
If you want to have a user who can view the flows but not make any changes. For example, I want to show you my flows, but not let you make any changes.
Nothing requires you to have a read-only user if you don't have a need for one.
If the user can make changes, they aren't a read-only user any more. As per the docs I linked to above, you can configure multiple users with read-write access in whatever way you want.
The Node-RED runtime is single-tenant. Whilst you may have multiple users able to access the editor, they are working on the same set of flows. There is no 'isolated sandbox' within Node-RED.
There are some 3rd-party platforms that make it easier to manage multiple users across multiple instances of Node-RED, with different levels of access control. For example FlowForge - (disclosure: when I'm not running the Node-RED project, I'm the CTO/Founder of FlowForge). It depends on what your specific requirements are.
We are actually planning to implement multitenancy in Node Red for the whole community in the beginning of 2023. If you'd like to join the effort, that would be great.