ACL checks are automatically enabled whenever a new ACL policy is created. However, if a client creates a policy and then immediately removes it, ACL checks are enabled from that point on, even though there are no ACLs.

This really is just an optimization for a relatively rare scenario, but it would provide a way to disable ACLs if apps no longer need/use them.