Prevent User from editing user attributes in new account console

I am experimenting with the new account console. I noticed that it is possible to update the entire user representation, including user attributes when a POST is made to the /account endpoint. We are not storing sensitive data in the attributes, but we expect the user not to be able to edit those values themselves. Is it possible currently with permissions or some other mechanism?

I found this merged recently, and it sort of appears to do it, but I’m not sure if that was the intent: