I created a custom role "Viewer" created in AGOL from the "Viewer Template". This is supposed to limit who can edit my editable feature services. It works as expected in a Web Map. The Viewer can not edit the feature service. But guess what?! Once you create a Web App from Web AppBuilder with that feature service and Web Map and add in the Edit Widget - the Viewer can edit! I found a forum post that says the Viewer can also edit in the Mobile Apps - such as Collector - I haven't tried that yet but would also be a problem if this was the case. https://community.esri.com/message/91046
Web App does not read the roles of the named users in AGOL. This is a HUGE oversight and a serious software problem.
I have created an Idea post for this - vote it up please! http://ideas.arcgis.com/ideaView?id=087E0000000kBsBIAU