A non-administrative user accessing the URL http://host:port/jasperserver/scheduler/main.html exposes all scheduled jobs, allowing any final user to delete or disable the jobs created by any other user. It's possible even to delete or disable jobs related to reports that the user doesn't have access according to his roles. Which seems a rather large security issue.
There had been an early post in September 2016 for the same Issue on v6.2 and a response that said it would be fixed in the next release. I'm guessing this didn't happen as we still have the same issue in v6.3 & I couldn't see it mentioned in the known issues.