The external folder can be different than the one used for the FE repository or the BE shared file. THAT folder doesn't have to have DELETE privileges for users. Only the BE folder needs full-on MODIFY privileges. As to "the user cannot inadvertently delete"... if you have users who don't honor company-imposed rules on keeping their mitts away from infrastructure, invest in some barbed-wire bullwhips. Inadvertent deletion can only occur when a user is exceeding his/her authority OR when the code has a bad flaw in it. In the first case, find a way to publicly punish that person. In the second case, whose fault is that?
Keeping multiple-user data in a shared FE file that is downloaded to each user's PC might seem reasonable for performance issues, but if ANY FIELD in that FE's user-oriented table gets changed in the BE, you now need to find a way to detect the change and then to reconcile the shared table vs. the master table. You just bought yourself a ton of overhead. Not only that, but TECHNICALLY that FE-side table now violates normalization even if the BE-side table does not. The question related to normalization is this: You now have two fields holding the same data. What other field do you consult to determine whether to refresh from the BE or use the copy in the FE? Which field is definitive? If it is time-sensitive, which copy contains the deciding date? And why do you continue to use the other copy when you know it ISN'T definitive?
I once did something similar to this, but NOT with user data. We had a lot of lookup tables, SOME of which might have records added to them during a business day, but it was a VERY rare event. I put copies of the lookup data in the FE along with a date marker to show when that lookup table was last refreshed. If you were about to run procedures that would use the lookup, the code would compare the dates for the FE and BE sources and would, if needed, refresh the sources before continuing.
This was NEVER anything but lookup/translation data, which 99% of the time was static. When the app started, the lookup tables in the FE got refreshed and usually stayed that way. It was needed because of horrific speed differences in FE vs. BE. Then we finally got the speed issues resolved by being allocated a VM to act as a back-end that could be LOCALLY shared vs. multi-state LAN sharing (and the BE wasn't local.) But I never backed out those dynamic lookup tables once the local BE server was set up because by then I had bigger maintenance issues to resolve. I CAN tell you that without what amounted to a 5000:1 speed difference between FE and BE, I would never have done it.