You don't need root to do serious damage. Even if you secure the gem installation process, the code inside the game can just do damage later. I think a signing system to prevent third party tampering of gems is the best that any developer packaging system can do.