Hello krilbe! 
A user can perform certain actions on their metadata if you provide a means for them to do. For example, if you have a form which accepts a street address and saves it to user_metadata, then the user is performing an action to save this data via a POST request to Authentication API Explorer
Because this is only a POST request however, there is no way for a user to further modify this data, unless you build something which allows it. This would mean a regular web application which uses the backend to update the user’s data in the management API, based on something like them having the required scopes.