It appears as though SDSF has some type of special case when a SYSOUT on the JESSPOOL is yours (created by your userid).  However SDSF support has stated that SDSF does not do anything special for SYSOUTs created by your userid. Is there anything in SDSF that allows a user to do things with jobs they submitted without being explicitly authorized to do so by ACF2 or RACF? 

Example:

A user is trying to purge output for a job they submitted.

The user does not have READ authority to the ISFOPER.DEST.jesx profile in the SDSF class which can be used in conjunction with ISFAUTH.DEST.LOCAL.DATASET.******** to bypass validations for the JESSPOOL class.

Looking at ACF2's RV report, there is no evidence that SDSF made any calls to ACF2 for class JESSPOOL.

However, in a SECTRACE from SDSF you can see the calls to ACF2 for JESSPOOL.

Release : 16.0

Component : ACF2 for z/OS

SDSF issues a RACROUTE request for the JESSPOOL class regardless of who the owner of the spool is. The ESMs (ACF2, RACF and Top Secret) are responsible for the JESSPOOL validations even when the SYSOUT is created by your id. ACF2 and RACF have coded internal processes to allow users access to their own spool, in order to reduce administrative burden so that there is no need to code a rule/profile for every SDSF user to access their own spool. 

For ACF2, this internal processing does not result in an SMF record being cut due to it not going through a normal validation routine, which is why the ACF2 documentation simply states that "no validation takes place". The RV report will not be able to report on this event, but an ACF2 SECTRACE will reveal the RACROUTE request occurring and the outcome being RC 0/0:0.

Sample SECTRACE command to see the RACROUTE AUTH call that occurs:

SECTRACE SET,ID=test1,TYPE=SAFP,JOBNAME=logonid,TRACE=ALL
nn CAS21200 SPECIFY RACROUTE PARAMETERS, CANCEL OR END
r nn,REQUEST=AUTH
nn CAS212210 CONTINUE SAF RACROUTE SPECIFICATIONS, CANCEL, OR END
r nn,END
n CAS21100 CONTINUE SECTRACE SPECIFICATIONS, CANCEL, OR END
r nn,end

After setting the TRACE, re-create the access and then run an ST report:

Sample ST report JCL:
//REPORT  EXEC PGM=ACFRPTST                       
//SYSPRINT DD SYSOUT=*                             
//HEXDUMP  DD SYSOUT=*                             
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1               
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2               
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3               
//SYSIN    DD *                                    
TITLE(ACFRPTST)
TRACEID(test1)
DETAIL

ACF2 Documentation - Implement JESSPOOL Validation

"No validation takes place when the requesting userid matches the userid in the JESSPOOL resource name. In other words, users can access their own JES data sets; rules are not needed for every user on the system."

RACF Documentation - Protecting data sets on spools

"When the JESSPOOL class is active, RACF ensures that only authorized users obtain access to job data sets on spool. Authorization to job data sets is provided through RACF user profiles. If there is no profile for a data set, only the user that created the data set can access, modify, or delete it."