When you use
yum to install a package, you have two main options: 1). install as the root user or; 2) use
sudo after adding a newly created user to the sudo group (fyi: sudo prevents you from having to login as & use the root user account. It provides escalated privileges on-demand to users within the sudo group).
As for the packages you've installed thus far, all packages will be installed to pre-defined directories which is either defined as a standard for the project or defined by the package maintainer(s). Each of the packages, however, has to be installed as root or through a sudo account. A standard user would not be able to install, start/stop/restart or modify the packages unless they gained escalated access by compromising the server (i.e. brute-force / weak passwords, etc - as a simplified, yet all too common example).
When you install a package through yum or apt-get (for Ubuntu) - we'll use NGINX (a web server) as an example, yum will check to see if a package is available and if so, download, extract and install. In most cases, for NGINX, this means that the directory /etc/nginx will be created and all of NGINX's configuration files will be stored there after yum has finished.
From there, it would be up to you to configure NGINX, NGINX Server Blocks (which would be called a Virtual Host if we substituted Apache in place of NGINX), etc. You'd also be responsible for installing and maintaining PHP-FPM (if you want to use PHP) or; if you're going to use Ruby/RoR, simply sub that in place of PHP :).
A Droplet (read: VPS; or Virtual Private Server) is like a blank canvas. Beyond the OS, how it functions and/or what it does is entirely up to you as you're the sole person doing the software installation, configuration, optimization etc. If you want to run NGINX, PHP-FPM and MariaDB and then install NodeJS to power a live / async chat room, you can do it :). Likewise, if you want to install Rub/RoR, Apache, Memcached, etc - you can do that as well!
The one key bit of advice I would give is to read up on basic server security - i.e. software firewall, secure passwords (IMO, anything less than 32-64 random characters consisting of upper & lowercase letters, numbers and random symbols is too short - I've pretty much moved to 64+ as as a standard where allowed) and so forth.