For posterity's sake, or for anyone with the same problem, or future me when I have the same problem and come to search here for the solution, here's what worked:
Deny access to the registrants table for EOTI, except the ability to Add a record. Create a plain numeric field on the events table that gets updated via automation when a new registrant is added.
What was happening was the formula field used to calculate remaining open slots for the event used the summary field number based off counting the registrants, then that remaining open slots number was passed back down to the registrant table to display on the form as they filled it out. Having a plain numeric field on the event table update via automation when a new registrant is added to the related event, then passing that plain number back down to the registrant table worked, and I was able to completely block off access to the registrant table for EOTI, since a summary field no longer needed to "see" how many others had registered for that event, and thus no longer required the registrant role to have access to the table.
Also, an EOTI manually editing the url bar to show specific reports no longer works because table access was able to be denied for EOTI, and the List All of registrants report was placed back on the admin page. An EOTI can still get to the admin dashboard page by manually typing in the URL, but can see no report links or embedded reports they shouldn't.