ec2:TerminateInstances still doesn’t support the vpc as a condition but it does allow you to use tags. You can also limit a role to tagging only the instances they create (as long as they include the tags when they call ec2:RunInstances). You can even require that specific tags are present. Combine all of that with some kind of “owner” tag and it’s a pretty decent solution to the problem. Add automatic tagging on the backend and it’s even better.

That said, it’s not perfect and there’s probably plenty of resources it wouldn’t work for. It’s also comparatively fragile.