I can confirm (ACF PRO v5.8.7) that this is still an issue for non-admins on a multisite. Filtering the ‘acf/allow_unfiltered_html’ does work and the above link does also fix the problem.
But both fixes are workarounds and the capability still is being ignored. Besides that the above fixes expose vulnerability for all fields where I would like to only allow this for a specific field.
Looking forward to a field-specific (in combination with role) fix.
