Suppose a 10 year old walks up to a cashier at a Walmart, dumps 50 candy bars on the belt, and hands the cashier a credit card with no adult in sight. The cashier rings it up and charges the card. The kid opens all the candy and gives it away to friends, eats it, whatever. Later the adult discovers that the kid took his card out of his wallet when he wasn't looking and complains to his credit card company.
Not quite. Your analogy is missing the part where the adult walked up with the 10 year old and told the cashier that the child was allowed to use the credit card, and then left. That's not to say that Android should probably have multiuser capabilities across all devices, a device administrator designation, and an account setting about "auth once" vs. "auth for 30 mins" on wallet access.