The 2/3+1 of the top 21 BPs can pretty much do whatever they want, just like in STEEM. Witnesses here can roll out code changes right now to freeze accounts, refund money, create 100,000,000 new STEEM tokens, etc, etc, etc. The difference being on EOS, some of these things are done in system contracts which can be updated in real time via transactions on the chain. It's like having upgradable EPROM in hardware. Some pieces of the system can be updated while it's running via consensus of the block producers. If token holders disagree, they can vote out those BPs and vote in new ones who could potentially undo whatever was done.
As for "freezing" accounts, what was done as an emergency was to use a blacklist approach in the config each BP to exclude transactions from the accounts. This was an emergency step that many were not happy with (hence the 3.5 hour call). Because it required unanimous approval (if even one producing BP didn't have the blacklist in place, the transactions would go through and the money would be gone), it was a very difficult discussion. Based on the feedback from the community, my hunch is it won't happen again (I don't think eosDAC would support it, as an example).
Interestingly, here's what the current ECAF website says:
I just got off what has become a daily BP call (70+ participants from around the world) and there's still a lot to be worked out in terms of who ECAF is, how they get funded, what role they play, etc. Doing on-chain governance is really complicated stuff.