You retain full control over your project, including who has commit rights to the code (with one caveat - see the note at right). In other words no one can commit directly to your project until / unless you approve them to do so (see Adding a new team member for details on that process).
Of course you should expect pull requests to come in from anywhere, and you are expected to triage those in a timely fashion.
Note: the Foundation manages a GitHub account (finos-admin) that also has implicit commit rights to your project, by virtue of being the administrator of all Program Github organizations. However Foundation staff do not use this account for repository-level activities except in extraordinary circumstances, and even then will attempt to contact the project team and/or the PMC before doing so.