Although it is not really possible to prevent malicious users from removing the visitors, even if you water your own plant every day a malicious user could kill it.

Botany checks whether a plant is alive by checking if there is a difference in timestamps from all the waterings that is larger than 5 days.
A malicious user could create a timestamp in the past that is more than 5 days before the last time the user watered their own plant.
When the user then opens botany the plant will be killed.

A simple fix would be to discard all visitor timestamps that are before the last watered timestamp of the user themself (just like timestamps in the future are discarded).