User able to see "status" field even though its role doesn't allow for it + "Draft" status always selected

[Vadorequest]

Context

I am trying to disallow a role from seeing its own "state". In my context, the "role" is "Customer 1" and represent a group of users, which contains a "Customer 1 Admin" user.

What I want to disallow is the ability for those users to change their own Status.

Configuration

Currently, updates aren't allowed (forbidden through permissions) but the role still displays. Also, the status field is set as "non readable". But it displays nonetheless, and shows an incorrect value. (potentially related to https://github.com/directus/app/issues/2653 but seems wider)

How to reproduce

Short video that showcases the bug https://youtu.be/XC_Od2R6FCE

Authenticated as Administrator

Questions:

• what does "token" allows?
• I also expected 2FA Secret to disappear but it still shows, is that the expected behaviour?

Authenticated as "Customer 1 Admin"

• Draft is selected
• Statuses aren't translated in French
• 2FA still shows

[Vadorequest]

This issue also impacts UX because then the user can select statuses that aren't allowed and will get a mystic error Creating item to "customers" collection was denied which doesn't clearly states why.