You defined an Access Restriction for a Business Object (BO) in a given Business Role and users are affected by it inside an Embbeded Component (EC).
Reproducing the Issue
1) Define an Access Restriction for a Business Object
2) Inside an Embbeded Component you notice the Access Restriction working as well.
Any defined Access Restriction will operate inside Embbeded Components as well - it would be a system security compliance issue if an user could not see/write a Business Object in a TI but could do it inside an Embbeded Component.
This is the standard system behavior.
KBA , LOD-CRM-EMP , Employee , How To