You have two issues to think about:
1. Somebody could plug in a dumb switch or a hub, then create a loop on it, the resulting broadcast storm gets passed up to your network via the single link it has to the network.
STP cannot help you for this. You need to configure loopback-detection.
Loopback-detection should be *very* high on your list of compulsory configs - ahead of DHCP snooping even.
2. Somebody could use the port for connecting some device you don't really want on your network, a switch (allowing multiple devices) or a WAP for example.
The easy thing to do to reduce this risk a little bit is to lock down the port to 2 MAC addresses max, which will be the first two MAC addresses the port sees after you configure it. If it sees any other MAC address, configure it to shutdown the port. Then the naughty users will self-report when they log a ticket with IT that their network is disconnected, which is a bonus.
Somewhat harder is a full-blown 802.1x setup where you control precisely what gets access via your ports.
