If a parent node does not have the JCR_MODIFY_ACCESS_CONTROL privilege, ACL modifications on child nodes should not be allowed.

If, however, a child node was added when the parent node had the JCR_MODIFY_ACCESS_CONTROL privilege, and at that time the child node was given an empty ACL list, it currently means that the ACLs can be modified on that child even after JCR_MODIFY_ACCESS_CONTROL was removed from the parent.

I believe the problematic place is in AccessControlManagerImpl.hasPrivileges where a node with an empty ACL list always has all privileges.