Code which checks this security rule - com.haulmont.cuba.gui.components.data.value.ValueBinder#bind
This check works only if valueSource instanceof EntityValueSource and in Legacy screens TokenList's valueSource = com.haulmont.cuba.gui.components.data.value.LegacyCollectionDsValueSource which is not the EntityValueSource and it can be the root cause of the issue.
TC:
Create two entities with ManyToMany relation between them.
Create the legacy screen with legacy datasource and TokenList linked with it.
Create the Role with Read-only attribute's permission on ManyToMany attribute.
ER: TokenList should not be editable.
AR: TokenList is editable.
Code which checks this security rule - com.haulmont.cuba.gui.components.data.value.ValueBinder#bind
This check works only if valueSource instanceof EntityValueSource and in Legacy screens TokenList's valueSource = com.haulmont.cuba.gui.components.data.value.LegacyCollectionDsValueSource which is not the EntityValueSource and it can be the root cause of the issue.
TC:
ER: TokenList should not be editable. AR: TokenList is editable.