It's really up to you ... the problem is, that as soon as you assign an Organization Network to be Direct Connect - External ... anyone that can change network settings of a VM can put their VM onto that network.
In the current version of vCloud Director, you would have something like this:
Option 1 - Direct Connect External - > use physical firewalls
Option 2 - Organization Routed Network - > Edge Gateway - > Exernal Network which has exactly 2 IPs (one for the edge, one for the SNAT)
- in this case, there aren't enough IPs to support putting a VM on the external.
So the ky take away, is if you give an Organization use of a resource, they can use it as much as they are allowed to (or exists).
Just food for thought.