Read Only User Federation sync only those attributes that are configured through LDAP Mappers to AD. Other attributes should just be persisted to the Keycloak DB. If user is updating any attributes, which are not mapped to the LDAP (for example emailVerified), then the Keycloak should allow the updates.

Example of use-cases/issues:

We want to configure the AD federation in read-only mode so that we can prevent unintentional changes on the user accounts from the Keycloak Admin Console.
By setting it to read-only, it is preventing us from using Email Verification feature as the “email verified” attribute is also trying to sync with the AD. But we have not configured any LDAP mapper for the email verified user attribute. And we do not have any field on the AD to save the “email verified” attribute.
This is the same issue we are facing with even locale and required actions attributes on the user account.