Do you permit users to store data in tags?

The short answer is theoretical yes but practically no - let us explain.

In general, modern EPC Gen 2 RFID chips ( e.g. the Monza 5 ) come with at least two types of memory: (a) A Tag IDentifier, or TID and (b) Electronic Product Code or EPC.

The TID is hard wired into the tag during production and cannot be changed by anyone.  It contains information about the tag model, the chip manufacturer and a unique serial number.  It uniquely identifies each individual tag.  In theory, and as far as we know in practice, no two EPC Gen 2 tags will ever have the same TID.  It is possible to read the TID but it has no error detection or other safeguards.

The EPC has a very specific format that is written to the tag before it is deployed for use.  All companies that want to deploy compliant tags must register and receive a Company Prefix that must appear in the EPC in a very specific way, along with other parameters such as Item Reference Number, etc.  The structure of the EPC is specified down to the last bit.  Any deviation from this will create a nonstandard EPC.   

Importantly, the EPC also contains data that is used for error detection so that a reader can detect that the EPC it received from a tag is a proper EPC.  In a noisy environment, for example, if an EPC error was detected the reader can ask for the EPC to be retransmitted.  Using a standard EPC guarantees that a RFID reader can read an EPC from a tag and be certain that it is correct.   

In summary,  we write the EPC to the Monza 5 before we send it out.  However, every bit in the EPC is predetermined and cannot be modified without loosing compliance to the EPC Gen 2 standard.