Guest user can still add/delete attachments using REST API when its denied edit right

Same for xobjects.

Rest API use old right check API based on user string reference and when the user in the context is null it convert it to XWiki.Guest instead of XWiki.XWikiGuest...

In indicated 3.0 but as far as I can see it always been like this so it's probably much older.