This seems like an issue on the part of the ACF plugin. Any user can use any form if they know the URL.
Do you know where I would start in attempting to restrict front end forms to only users who published the post they are editing?
It seems the plugin overrides the permissions of wordpress so i do not know where to begin.