Hello @elliot!
I don’t know if it’s really a problem, but I think it’s relevant: any user with the capability ‘edit_page’ can access the ACF main page and create field groups.
Even the ACF menu item doesn’t appears for that user roles, if the user put the direct url (wp-admin/edit.php?post_type=acf) it’s possible to access the page and create groups & fields.
The capability_type ‘page’ is intentional? Maybe could be safer change it to a
higher capability.
Cheers!