How do you handle the countless legit apps that work this way, like Chrome or Firefox? Packaged apps generally rely on something more that would ultimately be missing if you just copied the app over.

The only way to stop this is to go down the rabbit hole of using restrictions on what directories applications can be launched from. I forget now exactly what it's called in Config Profiles, but under the older MCX, it was referred to as whitelist and blacklist folders. It might still have that reference. I believe its located under Restrictions. You can add /Users as a blacklisted location, which stops them from being able to launch from their home directory.
However, be prepared to play a long game of whack-a-mole if you go this route, Often, you end up needing to keep adding in all kinds of whitelisted locations, over and above just /Applications/ because so many apps these days need to write into and launch helpers and all kinds of other nonsense from various user level locations. Google Chrome is notorious for this, and it becomes almost impossible to whitelist it properly due to some randomization it uses. And hence it will start complaining about not being able to launch it's own helper tools each time a user runs the software or when it tries to check for updates.
There are threads about this that you should read. Here are two older ones - thread one, thread two

So multiple ways to do this. You can block certain processes at the kernel level which we do sometimes. Or you can make the applications folder readonly for users.