your concerns are correct. If you get access to the tenant Veeam server and you either ask for deleting the backup files from disk, or you lower the retention, restore points stored at the service providers are deleted, since the VBR server at the provider receives a valid request from an authenticated users. What VCC right now protects you from is an attacker trying to delete backups via the network (like an smb share or attacking the repository server operating system), but not if the attacker gets access to the Veeam server. That's why we recommend customers to heavily protect the Veeam server, as it's the only place where the VCC credentials are stored.
There are some discussions both in the service provider forums and internally about additional protection technologies we may put in place in the next versions to allow service providers to offer even better protection, stay tuned