ACL allows for changes to a field that should be locked down using a field level write ACL. While the ACL is respected on the form view, when transacting via REST (Table API) or GlideRecordSecure, these field level ACLs are not respected.
Istanbul and Jakarta. This issue is fixed in Kingston.
The root cause of the issue is PRB660114. Although the description does not explain this exact situation, the fix provided in this problem resolves the issue mentioned in this knowledge article.
Upgrade to a fixed version as mentioned in PRB660114. There were several fixes done to GlideRecordSecure (GRS) for this PRB660114. The part of the problem that is relevant to the issue mentioned in this knowledge article is that previously GlideRecordSecure would read the current values of the record (including values changed by the user) when evaluating ACLs. After the fix, the values from the original record are used when evaluating the ACLs.