Ok,
Figured this one out myself.
By default WordPress doesn’t protect custom fields, and as such, also custom fields generated by ACF.
To work around this, all you have to do is wrap this simple if statement around your ACF code in a template file:
if ( ! post_password_required() ) {
//All of your code goes here
}
By magic, WordPress asks the visitor of the page for the password before showing your ACF fields.
