Security-on-protected-branches not functioning as expected

Hi according to the following docs:

The following actions are allowed on protected branches only if the user is allowed to merge or push on that specific branch:

  • Run manual pipelines (using Web UI or Pipelines API).
  • Run scheduled pipelines .
  • Run pipelines using triggers .
  • Trigger manual actions on existing pipelines.

Developers who don’t have access to merge/push to protected branches shouldn’t be able to run/trigger pipelines, but that doesn’t seem to be the case for me. Has anyone experienced this issue?

Running version 10.8.7

Any idea whats going on?