Can they theoretically develop a WP plugin to access the files (or even WP config, including DB credentials) of another WP installation?
Yes.
If your folders are owned by the same user, run as the same user in Apache/Nginx or have read/write access to each other, then it’s possible.
Your installations are sandboxed at the server/host level, not the WP level.If your users have the ability to upload plugins or edit PHP, then they can easily upload a version of the emergency.php targeted at the other installs and reset the admin password. Likewise they could insert a PHP shell, or read the wp-config.php of the other install.
It’s also much worse, if one of those sites gets hacked, all of them could be infected. You also have a more difficult time with backups
If you are concerned for security, you should fix this immediately. How you would fix that is server specific and not in the scope of this site. Consider asking on ServerFault