Jeff... As far as I understand it you're correct.
WinSCP for instance, authenticates the session - and sends 'some' data - via ssh, and other data with SCP or SFTP. It's dependant on the data type and the packet size the protocol can handle - along with what's allowed within each. SCP and SFTP kind of ride on top of the ssh session like a carrier wave, with all of their inherant functions available... in my case, on a DA RedHat E3 box with no additional servers installed, so I assume anyone could use it as well.
No matter what's done (copy / delete / permissions), it's based on the same ssh authorizations the user is setup with. It will transparently bounce between protocols to perform it's functions, but it never goes outside of the restrictions/perms placed on the account by ssh.
Better than any clumsy explanation I could give, theres quite a bit here:
http://winscp.net/eng/docs/protocols
As a side note: For me, using SCP/SFTP is far more efficient than bouncing between FTP and DA, plus a terminal and Putty for command access - with all of it secured via ssh. It certainly doesn't replace DA, but it compliments it. With my root login I have access to the entire file system, just like I'd use Explore or Norton Commander. I haven't used FTP or Vi/Pico in years.