Any authenticated user can write on field for which he doesn't have access. Other access rights are correctly enforced.
There is no workaround.
All users should upgrade trytond to the latest version.
Affected versions per series: <=3.8.0, <=3.6.4, <=3.4.7 and <=3.2.9
Non affected version per series: >=3.8.1, >=3.6.5, >=3.4.8 and >=3.2.10
Any security concerns should be reported on the bug-tracker at https://bugs.tryton.org/ with the type security.