How to disable user to update attributes completely

I just found out that just by creating a new input like this in the registration form in the browser, an anonymous user can insert a new attribute.

And for that case I am able to solve it by extending the FormAction SPI then sanitizing the user input.

But I am unable to solve this kind problem for the built-in keycloak REST API, is there a way for me to intercept user input in the built-in REST API before saving the user attributes? (maybe extending an SPI as well?)