Currently there is no way to prevent a user from doing what is outlined.
Please feel free to create an issue: https://github.com/fusionauth/fusionauth-issues
Currently the only way to accomplish this will be to use the Import API, as you mentioned: https://fusionauth.io/docs/v1/tech/apis/users#import-users
We do have an open feature request to allow hashes to be provided on the User API, which I think would be what you're looking for: https://github.com/FusionAuth/fusionauth-issues/issues/348
Feel free to upvote that issue.