To support the user, theme installation is carefully controlled. Themes can not be changed through scripting, only through the user interface. The user interface has additional controls to prevent the theme user interface itself being hijacked.
When a user requests to change a theme, a check is made of the theme to see if it is authorised. If it is authorised, the theme is changed straight away. If it is not authorised, the user is shown a warning and has to confirm. Only the built-in themes are authorised, so the user has to agree to all user-defined and third party themes.
If you are using a theme, a rogue process running in the theme-provider's account could change the theme, for example by changing the Resources list on the theme definition. To remove this (albeit very slim) possibility, you should only use frozen themes from third parties. If you are creating a theme, you should freeze your theme before you start using it in earnest.
To avoid your theme being tampered with, or accidentally changed, it is good practice to package your theme and all the files it requires into a theme file. This makes sure that users of the theme get exactly the files that you have intended.