Yes, I see your frustration.
I also have a bit more specific problem with this setup...
Folks assigning this role to a Cluster (which is just a large resource pool), must have propagate checked, or they cannot complete a VM creation at period.
So with prop enabled, any users associated with the role can see all the VM's in that Cluster, not just their own. Providing the "VM > Interaction" as suggested at the Cluster allows that user then to interact with systems outside their "own" folder.
But you're using Resource Pools, so this isn't a problem. (The above is just a note to others considering this, but who are only using Clusters)[/i]
One question I have for you...
These scratch VM's that a user could create, how would they then go about setting up an operating system and actually doing anything? If you don't allow them to have access to VMFS/NFS ISO datastores (read only permissions at the Data Center instead of Browse Datastore), they shouldn't be able to do too much. Just create empty VM's, right? (They can't use client mounted CD's during boot to load an OS)
About the only problem would be creating too many bogus VM's that they fill the datastore. But they could do that with legitimate VM's too.