I'm a bit puzzled by the first example.
First I've heard of JEA, so probably a lack of understanding on my part...
But - it sounds a little like the PowerShell environment is locked down to a subset of "approved" cmdlets...? Is that right? If so, then if you delegate access to the "Add-Computer" cmdlet, I don't see how it's a security flaw / bug if the delegated admin attempt to connect the machine to a different domain which has a different set of GPO's applied to it. In that scenario you'd need a malicious DNS and network access to the bad domain so the machine can connect to it.
Is my understanding correct, or have I missed something important and probably obvious? :)
If I am getting it, then I think it's a bit of a stretch to say that it's a big security issue. IMHO of course!