We are using Enterprise 11.1, and ArcGIS Pro 3.1.2. This issue seems to come and go, but it's reared its head again.
When creating an enterprise geodatabase (SQL Server), we are using branch versioning, and set the default access level to "protected". Despite this, portal user roles without the "Manage All" capability are allowed to edit the default directly and post to it. @EvaTTA mentioned this fairly recently, and in that post it was said to be linked to bugs BUG-000135099 and BUG-000150561, but I cannot find any information on these.
I'll note something especially strange, that "protected" was working as expected last time I checked on Oct 3, but today on the same dataset I dusted off my test account that is not a "Version Administrator", and that account was able to edit the protected default directly. I think the only thing that's changed since then schema-wise is adding a couple of values to one of the domains.
Has anybody encountered this? I'm stumped because as far as I can tell I'm doing everything by the book with respect to creating the enterprise geodatabases, managing portal users, and publishing the feature services.