A user who has only read access in the authorizations tab of the user object definition is still able to search for objects, right-click in the search bar, choose replace, and replace those objects in workflows.
Steps to reproduce:
There should be an error with access denied
The timezone is replaced in the workflow
Release : 12.3
This is planned to be fixed in 12.3.8 (planned by Spring of 2022) and 21.0.2 (planned by Spring of 2022)