I’m going to take your word that it was possible but it might have been a bug. It wasn’t intentional to allow users to post into accounts they haven’t been given access to.
Moving onwards, I’m trying to decide whether allowing restricted users to post to any cash account or bank account (even if they are not allowed to see the tabs) is something that I should allow.
The key is that if they are able to create a transaction, they should be able to see it somewhere created. I guess this requirement is met because restricted users who are recording payment for invoice can see ledger of the invoice which would reveal the receipt.
However I need to tighten the workflow so users can only create such receipts for invoices they are actually viewing and nothing else.