In principle, a user created in that way cannot do any damage outside his/her own home directory. As you noticed, a regular user does have access to various directories (e.g. in /, /usr/, /tmp). This is a necessity, because most user-accessible programs are located in /usr/bin and /bin. If the user didn't have (read-only) access to these directories, he/she wouldn't be able to run any programs.
However, a regular user doesn't have accesss to home directories of other users.