Confirming behavior - API can be used to write into read-only custom fields?

Confirming behavior - API can be used to write into read-only custom fields?

I have added a custom field into the Potentials module.  This custom field is designed to hold a URL that is inserted into the record by an external program using the updateRecords API call.

My users should not be able to edit this field so I used the Field-level security to make it read-only for everyone, including the Administrator.

According to the API documentation all security settings, including field-level security should be honored, so I wasn't expecting it to work for me when everyone had read-only access to the field.  But using the API I can update that field with no problem.

I'm actually happy that it works the way it does because I wanted it read-only.  But I don't know if this is expected behavior since it seems to conflict with the documentation, so I thought I should point it out and get clarification.

I'm using newFormat=1 if that matters.