Is it safe to assert that when the ACAUCB field contains an address, this ACALT came from CPF in all situations?

When a  dump is captured in the NEWPEXIT when a user changes a password on the local system, the ACAUCB address is 0. 

When a dump is captured on the same system and it comes from a CPF request, and the password is changed on a remote system, there is an address in the ACAUCB field.

Release : 16.0

Component : ACF2 for z/OS

It is NOT safe to assert that if there is an ACAUCB it will be because it has come from CPF.
User written code and also ACF2 code may use ACAUCB in many different environments..
For example in a MUSASS environment to identify a user that is issuing admin commands
so that it does not get associated with the addrspace logonid.