If you want to have a user who can view the flows but not make any changes. For example, I want to show you my flows, but not let you make any changes.
Nothing requires you to have a read-only user if you don't have a need for one.
If the user can make changes, they aren't a read-only user any more. As per the docs I linked to above, you can configure multiple users with read-write access in whatever way you want.
The Node-RED runtime is single-tenant. Whilst you may have multiple users able to access the editor, they are working on the same set of flows. There is no 'isolated sandbox' within Node-RED.
There are some 3rd-party platforms that make it easier to manage multiple users across multiple instances of Node-RED, with different levels of access control. For example FlowForge - (disclosure: when I'm not running the Node-RED project, I'm the CTO/Founder of FlowForge). It depends on what your specific requirements are.