Even with minimal or no ticketing app security role permissions, a person assigned to a ticket can unassign that ticket from themselves. There's no way to prevent that from happening outside of training them not to do it.
As for the workflows, users will not be able to add/remove workflows if they do not have the ticketing app security role permission for "The user will be able to edit all tickets regardless of type". You could try removing that, have them sign out and back in, then confirm that does the trick. The downside to this is they also cannot manually add a workflow to a ticket either.
Sr Support Consultant, CS