All builds are isolated from each other by means of KVM virtualization. Intermediate build output is never written to disk, only to memory. The nix build output paths are stored in an encrypted file system.
There is an advanced sandbox in place that makes sure that each virtualized build only has access to its build inputs. There is no network available inside the sandbox.
Nix public-key signatures are used to make sure that only trusted inputs are
used for your builds. Two users might upload the same store path as a build
dependency. If those store paths haven't been signed by a key trusted by both
users, they will be treated as completely separate paths. By default, only the
cache.nixos.org key is trusted. The user can control which keys to trust.
If any uploaded (or built) store path has content that is (byte-for-byte) identical to the content of another store path (possibly created by another account) that content will only be stored once (that is, the actual data is deduplicated).
When an account is deleted, all data produced or uploaded by that account will be removed. This includes all derivations, build history, build artifacts, build and session logs. Deduplicated data might remain after account deletion, meaning that if another account had produced or uploaded identical derivations or build artifacts as the deleted account those will remain but will no longer be possible to relate to the deleted account.