Users are able to change the linked user, but not the supposed fields
If you allow users to edit fields on themselves (e.g. last_name), they are theoretically able to change the linked user. Django will throw an error because
django.db.utils.IntegrityError: duplicate key value violates unique constraint "core_person_user_id_key", but this is not an security feature…
Funniest thing about: Users are NOT able to change the configured allowed fields.