JcrSession.JcrPresave.aclMetadataRefresh might inadvertently disable ACL check even though nodes with ACLs still exist.
1. Create a node with two ACLs (ModeShapeLexicon.ACL_COUNT is now 2)
2. Make a copy of the node using session.getWorkspace().copy (ModeShapeLexicon.ACL_COUNT is now 2)
3. Remove the two ACLs of the copied node (ModeShapeLexicon.ACL_COUNT is now 0)
4. aclMetadataRefresh now disables ACL checks globally (repository().repositoryCache().setAccessControlEnabled(false))
This means that no ACL check will be done on the node created in step 1 even though the node still has ACLs. I do not know if other operations than copy exhibit similar behaviour.