I have encountered a bug where someone who has read access to some records and write to other records can still add attachments and add details to the records they only have read access to.
Let’s take this as an example.

In this situation the user would be able to add and even delete attachments to ALL records. If the class has a relationship to another class they can add details to it.

This is bad. People who shouldn’t have access to editing a record can add details and attachments. Even remove attachments when they should only have view permissions.